/******************************************************************************* * Copyright 2012-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved. * Licensed under the Apache License, Version 2.0 (the "License"). You may not use * this file except in compliance with the License. A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. * This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR * CONDITIONS OF ANY KIND, either express or implied. See the License for the * specific language governing permissions and limitations under the License. * ***************************************************************************** * * AWS Tools for Windows (TM) PowerShell (TM) * */ using System; using System.Collections.Generic; using System.Linq; using System.Management.Automation; using System.Text; using Amazon.PowerShell.Common; using Amazon.Runtime; using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; namespace Amazon.PowerShell.Cmdlets.KMS { /// /// Creates a unique customer managed KMS /// key in your Amazon Web Services account and Region. You can use a KMS key in cryptographic /// operations, such as encryption and signing. Some Amazon Web Services services let /// you use KMS keys that you create and manage to protect your service resources. /// /// /// /// A KMS key is a logical representation of a cryptographic key. In addition to the key /// material used in cryptographic operations, a KMS key includes metadata, such as the /// key ID, key policy, creation date, description, and key state. For details, see Managing /// keys in the Key Management Service Developer Guide /// Use the parameters of CreateKey to specify the type of KMS key, the source /// of its key material, its key policy, description, tags, and other properties. /// /// KMS has replaced the term customer master key (CMK) with KMS key and /// KMS key. The concept has not changed. To prevent breaking changes, KMS is keeping /// some variations of this term. /// /// To create different types of KMS keys, use the following guidance: ///
Symmetric encryption KMS key
/// By default, CreateKey creates a symmetric encryption KMS key with key /// material that KMS generates. This is the basic and most widely used type of KMS key, /// and provides the best performance. /// /// To create a symmetric encryption KMS key, you don't need to specify any parameters. /// The default value for KeySpec, SYMMETRIC_DEFAULT, the default /// value for KeyUsage, ENCRYPT_DECRYPT, and the default value /// for Origin, AWS_KMS, create a symmetric encryption KMS key /// with KMS key material. /// /// If you need a key for basic encryption and decryption or you are creating a KMS key /// to protect your resources in an Amazon Web Services service, create a symmetric encryption /// KMS key. The key material in a symmetric encryption key never leaves KMS unencrypted. /// You can use a symmetric encryption KMS key to encrypt and decrypt data up to 4,096 /// bytes, but they are typically used to generate data keys and data keys pairs. For /// details, see GenerateDataKey and GenerateDataKeyPair. ///
Asymmetric KMS keys
/// To create an asymmetric KMS key, use the KeySpec parameter to specify /// the type of key material in the KMS key. Then, use the KeyUsage parameter /// to determine whether the KMS key will be used to encrypt and decrypt or sign and verify. /// You can't change these properties after the KMS key is created. /// /// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, or an /// SM2 key pair (China Regions only). The private key in an asymmetric KMS key never /// leaves KMS unencrypted. However, you can use the GetPublicKey operation to /// download the public key so it can be used outside of KMS. KMS keys with RSA or SM2 /// key pairs can be used to encrypt or decrypt data or sign and verify messages (but /// not both). KMS keys with ECC key pairs can be used only to sign and verify messages. /// For information about asymmetric KMS keys, see Asymmetric /// KMS keys in the Key Management Service Developer Guide. ///
HMAC KMS key
/// To create an HMAC KMS key, set the KeySpec parameter to a key spec value /// for HMAC KMS keys. Then set the KeyUsage parameter to GENERATE_VERIFY_MAC. /// You must set the key usage even though GENERATE_VERIFY_MAC is the only /// valid key usage value for HMAC KMS keys. You can't change these properties after the /// KMS key is created. /// /// HMAC KMS keys are symmetric keys that never leave KMS unencrypted. You can use HMAC /// keys to generate (GenerateMac) and verify (VerifyMac) HMAC codes for /// messages up to 4096 bytes. ///
Multi-Region primary keys
Imported key material
/// To create a multi-Region primary key in the local Amazon Web Services Region, /// use the MultiRegion parameter with a value of True. To create /// a multi-Region replica key, that is, a KMS key with the same key ID and key /// material as a primary key, but in a different Amazon Web Services Region, use the /// ReplicateKey operation. To change a replica key to a primary key, and its primary /// key to a replica key, use the UpdatePrimaryRegion operation. /// /// You can create multi-Region KMS keys for all supported KMS key types: symmetric encryption /// KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric signing KMS /// keys. You can also create multi-Region keys with imported key material. However, you /// can't create multi-Region keys in a custom key store. /// /// This operation supports multi-Region keys, an KMS feature that lets you create /// multiple interoperable KMS keys in different Amazon Web Services Regions. Because /// these KMS keys have the same key ID, key material, and other metadata, you can use /// them interchangeably to encrypt data in one Amazon Web Services Region and decrypt /// it in a different Amazon Web Services Region without re-encrypting the data or making /// a cross-Region call. For more information about multi-Region keys, see Multi-Region /// keys in KMS in the Key Management Service Developer Guide. ///
/// To import your own key material into a KMS key, begin by creating a KMS key with no /// key material. To do this, use the Origin parameter of CreateKey /// with a value of EXTERNAL. Next, use GetParametersForImport operation /// to get a public key and import token. Use the wrapping public key to encrypt your /// key material. Then, use ImportKeyMaterial with your import token to import /// the key material. For step-by-step instructions, see Importing /// Key Material in the Key Management Service Developer Guide. /// /// You can import key material into KMS keys of all supported KMS key types: symmetric /// encryption KMS keys, HMAC KMS keys, asymmetric encryption KMS keys, and asymmetric /// signing KMS keys. You can also create multi-Region keys with imported key material. /// However, you can't import key material into a KMS key in a custom key store. /// /// To create a multi-Region primary key with imported key material, use the Origin /// parameter of CreateKey with a value of EXTERNAL and the /// MultiRegion parameter with a value of True. To create replicas /// of the multi-Region primary key, use the ReplicateKey operation. For instructions, /// see Importing key material into multi-Region keys. For more information about multi-Region /// keys, see Multi-Region /// keys in KMS in the Key Management Service Developer Guide. ///
Custom key store
/// A custom /// key store lets you protect your Amazon Web Services resources using keys in a /// backing key store that you own and manage. When you request a cryptographic operation /// with a KMS key in a custom key store, the operation is performed in the backing key /// store using its cryptographic keys. /// /// KMS supports CloudHSM /// key stores backed by an CloudHSM cluster and external /// key stores backed by an external key manager outside of Amazon Web Services. When /// you create a KMS key in an CloudHSM key store, KMS generates an encryption key in /// the CloudHSM cluster and associates it with the KMS key. When you create a KMS key /// in an external key store, you specify an existing encryption key in the external key /// manager. /// /// Some external key managers provide a simpler method for creating a KMS key in an external /// key store. For details, see your external key manager documentation. /// /// Before you create a KMS key in a custom key store, the ConnectionState /// of the key store must be CONNECTED. To connect the custom key store, /// use the ConnectCustomKeyStore operation. To find the ConnectionState, /// use the DescribeCustomKeyStores operation. /// /// To create a KMS key in a custom key store, use the CustomKeyStoreId. /// Use the default KeySpec value, SYMMETRIC_DEFAULT, and the /// default KeyUsage value, ENCRYPT_DECRYPT to create a symmetric /// encryption key. No other key type is supported in a custom key store. /// /// To create a KMS key in an CloudHSM /// key store, use the Origin parameter with a value of AWS_CLOUDHSM. /// The CloudHSM cluster that is associated with the custom key store must have at least /// two active HSMs in different Availability Zones in the Amazon Web Services Region. /// /// To create a KMS key in an external /// key store, use the Origin parameter with a value of EXTERNAL_KEY_STORE /// and an XksKeyId parameter that identifies an existing external key. /// /// Some external key managers provide a simpler method for creating a KMS key in an external /// key store. For details, see your external key manager documentation. ///
Cross-account use: No. You cannot use this operation to create a KMS key in /// a different Amazon Web Services account. /// Required permissions: kms:CreateKey /// (IAM policy). To use the Tags parameter, kms:TagResource /// (IAM policy). For examples and information about related permissions, see Allow /// a user to create KMS keys in the Key Management Service Developer Guide. /// Related operations: /// [Cmdlet("New", "KMSKey", SupportsShouldProcess = true, ConfirmImpact = ConfirmImpact.Medium)] [OutputType("Amazon.KeyManagementService.Model.KeyMetadata")] [AWSCmdlet("Calls the AWS Key Management Service CreateKey API operation.", Operation = new[] {"CreateKey"}, SelectReturnType = typeof(Amazon.KeyManagementService.Model.CreateKeyResponse))] [AWSCmdletOutput("Amazon.KeyManagementService.Model.KeyMetadata or Amazon.KeyManagementService.Model.CreateKeyResponse", "This cmdlet returns an Amazon.KeyManagementService.Model.KeyMetadata object.", "The service call response (type Amazon.KeyManagementService.Model.CreateKeyResponse) can also be referenced from properties attached to the cmdlet entry in the $AWSHistory stack." )] public partial class NewKMSKeyCmdlet : AmazonKeyManagementServiceClientCmdlet, IExecutor { #region Parameter BypassPolicyLockoutSafetyCheck /// /// /// Skips ("bypasses") the key policy lockout safety check. The default value is false.Setting this value to true increases the risk that the KMS key becomes unmanageable. /// Do not set this value to true indiscriminately.For more information, see Default /// key policy in the Key Management Service Developer Guide.Use this parameter only when you intend to prevent the principal that is making the /// request from making a subsequent PutKeyPolicy request on the KMS key. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.Boolean? BypassPolicyLockoutSafetyCheck { get; set; } #endregion #region Parameter CustomKeyStoreId /// /// /// Creates the KMS key in the specified custom /// key store. The ConnectionState of the custom key store must be CONNECTED. /// To find the CustomKeyStoreID and ConnectionState use the DescribeCustomKeyStores /// operation.This parameter is valid only for symmetric encryption KMS keys in a single Region. /// You cannot create any other type of KMS key in a custom key store.When you create a KMS key in an CloudHSM key store, KMS generates a non-exportable /// 256-bit symmetric key in its associated CloudHSM cluster and associates it with the /// KMS key. When you create a KMS key in an external key store, you must use the XksKeyId /// parameter to specify an external key that serves as key material for the KMS key. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.String CustomKeyStoreId { get; set; } #endregion #region Parameter Description /// /// /// A description of the KMS key. Use a description that helps you decide whether the /// KMS key is appropriate for a task. The default value is an empty string (no description).Do not include confidential or sensitive information in this field. This field may /// be displayed in plaintext in CloudTrail logs and other output.To set or change the description after the key is created, use UpdateKeyDescription. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.String Description { get; set; } #endregion #region Parameter KeySpec /// /// /// Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, /// creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption, /// except in China Regions, where it creates a 128-bit symmetric key that uses SM4 encryption. /// For help choosing a key spec for your KMS key, see Choosing /// a KMS key type in the Key Management Service Developer Guide.The KeySpec determines whether the KMS key contains a symmetric key or /// an asymmetric key pair. It also determines the algorithms that the KMS key supports. /// You can't change the KeySpec after the KMS key is created. To further /// restrict the algorithms that can be used with the KMS key, use a condition key in /// its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm, /// kms:MacAlgorithm /// or kms:Signing /// Algorithm in the Key Management Service Developer Guide.Amazon Web /// Services services that are integrated with KMS use symmetric encryption KMS keys /// to protect your data. These services do not support asymmetric KMS keys or HMAC KMS /// keys.KMS supports the following key specs for KMS keys: /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] [AWSConstantClassSource("Amazon.KeyManagementService.KeySpec")] public Amazon.KeyManagementService.KeySpec KeySpec { get; set; } #endregion #region Parameter KeyUsage /// /// /// Determines the cryptographic /// operations for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. /// This parameter is optional when you are creating a symmetric encryption KMS key; otherwise, /// it is required. You can't change the KeyUsage value after the KMS key /// is created.Select only one valid value. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] [AWSConstantClassSource("Amazon.KeyManagementService.KeyUsageType")] public Amazon.KeyManagementService.KeyUsageType KeyUsage { get; set; } #endregion #region Parameter MultiRegion /// /// /// Creates a multi-Region primary key that you can replicate into other Amazon Web Services /// Regions. You cannot change this value after you create the KMS key. For a multi-Region key, set this parameter to True. For a single-Region /// KMS key, omit this parameter or set it to False. The default value is /// False.This operation supports multi-Region keys, an KMS feature that lets you create /// multiple interoperable KMS keys in different Amazon Web Services Regions. Because /// these KMS keys have the same key ID, key material, and other metadata, you can use /// them interchangeably to encrypt data in one Amazon Web Services Region and decrypt /// it in a different Amazon Web Services Region without re-encrypting the data or making /// a cross-Region call. For more information about multi-Region keys, see Multi-Region /// keys in KMS in the Key Management Service Developer Guide.This value creates a primary key, not a replica. To create a replica key, /// use the ReplicateKey operation. You can create a symmetric or asymmetric multi-Region key, and you can create a multi-Region /// key with imported key material. However, you cannot create a multi-Region key in a /// custom key store. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.Boolean? MultiRegion { get; set; } #endregion #region Parameter Origin /// /// /// The source of the key material for the KMS key. You cannot change the origin after /// you create the KMS key. The default is AWS_KMS, which means that KMS /// creates the key material.To create /// a KMS key with no key material (for imported key material), set this value to /// EXTERNAL. For more information about importing key material into KMS, /// see Importing /// Key Material in the Key Management Service Developer Guide. The EXTERNAL /// origin value is valid only for symmetric KMS keys.To create /// a KMS key in an CloudHSM key store and create its key material in the associated /// CloudHSM cluster, set this value to AWS_CLOUDHSM. You must also use the /// CustomKeyStoreId parameter to identify the CloudHSM key store. The KeySpec /// value must be SYMMETRIC_DEFAULT.To create /// a KMS key in an external key store, set this value to EXTERNAL_KEY_STORE. /// You must also use the CustomKeyStoreId parameter to identify the external /// key store and the XksKeyId parameter to identify the associated external /// key. The KeySpec value must be SYMMETRIC_DEFAULT. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] [AWSConstantClassSource("Amazon.KeyManagementService.OriginType")] public Amazon.KeyManagementService.OriginType Origin { get; set; } #endregion #region Parameter Policy /// /// /// The key policy to attach to the KMS key.If you provide a key policy, it must meet the following criteria:If you do not provide a key policy, KMS attaches a default key policy to the KMS key. /// For more information, see Default /// key policy in the Key Management Service Developer Guide. The key policy size quota is 32 kilobytes (32768 bytes).For help writing and formatting a JSON policy document, see the IAM /// JSON Policy Reference in the Identity and Access Management User Guide. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.String Policy { get; set; } #endregion #region Parameter Tag /// /// /// Assigns one or more tags to the KMS key. Use this parameter to tag the KMS key when /// it is created. To tag an existing KMS key, use the TagResource operation.Do not include confidential or sensitive information in this field. This field may /// be displayed in plaintext in CloudTrail logs and other output.Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, /// see ABAC /// for KMS in the Key Management Service Developer Guide.To use this parameter, you must have kms:TagResource /// permission in an IAM policy.Each tag consists of a tag key and a tag value. Both the tag key and the tag value /// are required, but the tag value can be an empty (null) string. You cannot have more /// than one tag on a KMS key with the same tag key. If you specify an existing tag key /// with a different tag value, KMS replaces the current tag value with the specified /// one.When you add tags to an Amazon Web Services resource, Amazon Web Services generates /// a cost allocation report with usage and costs aggregated by tags. Tags can also be /// used to control access to a KMS key. For details, see Tagging /// Keys. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] [Alias("Tags")] public Amazon.KeyManagementService.Model.Tag[] Tag { get; set; } #endregion #region Parameter XksKeyId /// /// /// Identifies the external /// key that serves as key material for the KMS key in an external /// key store. Specify the ID that the external /// key store proxy uses to refer to the external key. For help, see the documentation /// for your external key store proxy.This parameter is required for a KMS key with an Origin value of EXTERNAL_KEY_STORE. /// It is not valid for KMS keys with any other Origin value.The external key must be an existing 256-bit AES symmetric encryption key hosted outside /// of Amazon Web Services in an external key manager associated with the external key /// store specified by the CustomKeyStoreId parameter. This key must be enabled /// and configured to perform encryption and decryption. Each KMS key in an external key /// store must use a different external key. For details, see Requirements /// for a KMS key in an external key store in the Key Management Service Developer /// Guide.Each KMS key in an external key store is associated two backing keys. One is key material /// that KMS generates. The other is the external key specified by this parameter. When /// you use the KMS key in an external key store to encrypt data, the encryption operation /// is performed first by KMS using the KMS key material, and then by the external key /// manager using the specified external key, a process known as double encryption. /// For details, see Double /// encryption in the Key Management Service Developer Guide. /// /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public System.String XksKeyId { get; set; } #endregion #region Parameter CustomerMasterKeySpec /// /// /// Instead, use the KeySpec parameter.The KeySpec and CustomerMasterKeySpec parameters work the /// same way. Only the names differ. We recommend that you use KeySpec parameter /// in your code. However, to avoid breaking changes, KMS supports both parameters. /// /// This parameter is deprecated. /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] [System.ObsoleteAttribute("This parameter has been deprecated. Instead, use the KeySpec parameter.")] [AWSConstantClassSource("Amazon.KeyManagementService.CustomerMasterKeySpec")] public Amazon.KeyManagementService.CustomerMasterKeySpec CustomerMasterKeySpec { get; set; } #endregion #region Parameter Select /// /// Use the -Select parameter to control the cmdlet output. The default value is 'KeyMetadata'. /// Specifying -Select '*' will result in the cmdlet returning the whole service response (Amazon.KeyManagementService.Model.CreateKeyResponse). /// Specifying the name of a property of type Amazon.KeyManagementService.Model.CreateKeyResponse will result in that property being returned. /// Specifying -Select '^ParameterName' will result in the cmdlet returning the selected cmdlet parameter value. /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public string Select { get; set; } = "KeyMetadata"; #endregion #region Parameter Force /// /// This parameter overrides confirmation prompts to force /// the cmdlet to continue its operation. This parameter should always /// be used with caution. /// [System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)] public SwitchParameter Force { get; set; } #endregion protected override void ProcessRecord() { this._AWSSignerType = "v4"; base.ProcessRecord(); var resourceIdentifiersText = string.Empty; if (!ConfirmShouldProceed(this.Force.IsPresent, resourceIdentifiersText, "New-KMSKey (CreateKey)")) { return; } var context = new CmdletContext(); // allow for manipulation of parameters prior to loading into context PreExecutionContextLoad(context); if (ParameterWasBound(nameof(this.Select))) { context.Select = CreateSelectDelegate(Select) ?? throw new System.ArgumentException("Invalid value for -Select parameter.", nameof(this.Select)); } context.BypassPolicyLockoutSafetyCheck = this.BypassPolicyLockoutSafetyCheck; #pragma warning disable CS0618, CS0612 //A class member was marked with the Obsolete attribute context.CustomerMasterKeySpec = this.CustomerMasterKeySpec; #pragma warning restore CS0618, CS0612 //A class member was marked with the Obsolete attribute context.CustomKeyStoreId = this.CustomKeyStoreId; context.Description = this.Description; context.KeySpec = this.KeySpec; context.KeyUsage = this.KeyUsage; context.MultiRegion = this.MultiRegion; context.Origin = this.Origin; context.Policy = this.Policy; if (this.Tag != null) { context.Tag = new List(this.Tag); } context.XksKeyId = this.XksKeyId; // allow further manipulation of loaded context prior to processing PostExecutionContextLoad(context); var output = Execute(context) as CmdletOutput; ProcessOutput(output); } #region IExecutor Members public object Execute(ExecutorContext context) { var cmdletContext = context as CmdletContext; // create request var request = new Amazon.KeyManagementService.Model.CreateKeyRequest(); if (cmdletContext.BypassPolicyLockoutSafetyCheck != null) { request.BypassPolicyLockoutSafetyCheck = cmdletContext.BypassPolicyLockoutSafetyCheck.Value; } #pragma warning disable CS0618, CS0612 //A class member was marked with the Obsolete attribute if (cmdletContext.CustomerMasterKeySpec != null) { request.CustomerMasterKeySpec = cmdletContext.CustomerMasterKeySpec; } #pragma warning restore CS0618, CS0612 //A class member was marked with the Obsolete attribute if (cmdletContext.CustomKeyStoreId != null) { request.CustomKeyStoreId = cmdletContext.CustomKeyStoreId; } if (cmdletContext.Description != null) { request.Description = cmdletContext.Description; } if (cmdletContext.KeySpec != null) { request.KeySpec = cmdletContext.KeySpec; } if (cmdletContext.KeyUsage != null) { request.KeyUsage = cmdletContext.KeyUsage; } if (cmdletContext.MultiRegion != null) { request.MultiRegion = cmdletContext.MultiRegion.Value; } if (cmdletContext.Origin != null) { request.Origin = cmdletContext.Origin; } if (cmdletContext.Policy != null) { request.Policy = cmdletContext.Policy; } if (cmdletContext.Tag != null) { request.Tags = cmdletContext.Tag; } if (cmdletContext.XksKeyId != null) { request.XksKeyId = cmdletContext.XksKeyId; } CmdletOutput output; // issue call var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint); try { var response = CallAWSServiceOperation(client, request); object pipelineOutput = null; pipelineOutput = cmdletContext.Select(response, this); output = new CmdletOutput { PipelineOutput = pipelineOutput, ServiceResponse = response }; } catch (Exception e) { output = new CmdletOutput { ErrorResponse = e }; } return output; } public ExecutorContext CreateContext() { return new CmdletContext(); } #endregion #region AWS Service Operation Call private Amazon.KeyManagementService.Model.CreateKeyResponse CallAWSServiceOperation(IAmazonKeyManagementService client, Amazon.KeyManagementService.Model.CreateKeyRequest request) { Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "AWS Key Management Service", "CreateKey"); try { #if DESKTOP return client.CreateKey(request); #elif CORECLR return client.CreateKeyAsync(request).GetAwaiter().GetResult(); #else #error "Unknown build edition" #endif } catch (AmazonServiceException exc) { var webException = exc.InnerException as System.Net.WebException; if (webException != null) { throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException); } throw; } } #endregion internal partial class CmdletContext : ExecutorContext { public System.Boolean? BypassPolicyLockoutSafetyCheck { get; set; } [System.ObsoleteAttribute] public Amazon.KeyManagementService.CustomerMasterKeySpec CustomerMasterKeySpec { get; set; } public System.String CustomKeyStoreId { get; set; } public System.String Description { get; set; } public Amazon.KeyManagementService.KeySpec KeySpec { get; set; } public Amazon.KeyManagementService.KeyUsageType KeyUsage { get; set; } public System.Boolean? MultiRegion { get; set; } public Amazon.KeyManagementService.OriginType Origin { get; set; } public System.String Policy { get; set; } public List Tag { get; set; } public System.String XksKeyId { get; set; } public System.Func Select { get; set; } = (response, cmdlet) => response.KeyMetadata; } } }