This documentation is for the developer preview release of the AWS CDK. Do not use this version of the AWS CDK in production. Subsequent releases of the AWS CDK will likely include breaking changes.

@aws-cdk/aws-kms

AWS KMS Construct Library

Defines a KMS key:

new EncryptionKey(this, 'MyKey', {
    enableKeyRotation: true
});

Add a couple of aliases:

const key = new EncryptionKey(this, 'MyKey');
key.addAlias('alias/foo');
key.addAlias('alias/bar');

Sharing keys between stacks

To use a KMS key in a different stack in the same CDK application, pass the construct to the other stack:

/**
 * Stack that defines the key
 */
class KeyStack extends cdk.Stack {
  public readonly key: kms.EncryptionKey;

  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    this.key = new kms.EncryptionKey(this, 'MyKey', { retain: false });
  }
}

interface UseStackProps extends cdk.StackProps {
  key: kms.IEncryptionKey; // Use IEncryptionKey here
}

/**
 * Stack that uses the key
 */
class UseStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props: UseStackProps) {
    super(scope, id, props);

    // Use the IEncryptionKey object here.
    props.key.addAlias('alias/foo');
  }
}

const keyStack = new KeyStack(app, 'KeyStack');
new UseStack(app, 'UseStack', { key: keyStack.key });

Importing existing keys

To use a KMS key that is not defined in this CDK app, but is created through other means, use EncryptionKey.import(parent, name, ref):

const myKeyImported = EncryptionKey.import(this, 'MyImportedKey', {
    keyArn: 'arn:aws:...'
});

// you can do stuff with this imported key.
key.addAlias('alias/foo');

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key’s policy because it is not owned by your stack. The call will be a no-op.

Reference

View in Nuget

csproj:

<PackageReference Include="Amazon.CDK.AWS.KMS" Version="0.25.3" />

dotnet:

dotnet add package Amazon.CDK.AWS.KMS --version 0.25.3

packages.config:

<package id="Amazon.CDK.AWS.KMS" version="0.25.3" />

View in Maven Central

Apache Buildr:

'software.amazon.awscdk:kms:jar:0.25.3'

Apache Ivy:

<dependency groupId="software.amazon.awscdk" name="kms" rev="0.25.3"/>

Apache Maven:

<dependency>
  <groupId>software.amazon.awscdk</groupId>
  <artifactId>kms</artifactId>
  <version>0.25.3</version>
</dependency>

Gradle / Grails:

compile 'software.amazon.awscdk:kms:0.25.3'

Groovy Grape:

@Grapes(
@Grab(group='software.amazon.awscdk', module='kms', version='0.25.3')
)

View in NPM

npm:

$ npm i @aws-cdk/aws-kms@0.25.3

package.json:

{
  "@aws-cdk/aws-kms": "^0.25.3"
}

yarn:

$ yarn add @aws-cdk/aws-kms@0.25.3

View in NPM

npm:

$ npm i @aws-cdk/aws-kms@0.25.3

package.json:

{
  "@aws-cdk/aws-kms": "^0.25.3"
}

yarn:

$ yarn add @aws-cdk/aws-kms@0.25.3

CfnAlias

class @aws-cdk/aws-kms.CfnAlias(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.CfnAlias;
const { CfnAlias } = require('@aws-cdk/aws-kms');
import { CfnAlias } from '@aws-cdk/aws-kms';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
aliasName
Type:string (readonly)
propertyOverrides
Type:CfnAliasProps (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnAliasProps (interface)

class @aws-cdk/aws-kms.CfnAliasProps

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.CfnAliasProps;
// CfnAliasProps is an interface
import { CfnAliasProps } from '@aws-cdk/aws-kms';
aliasName

AWS::KMS::Alias.AliasName

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-alias.html#cfn-kms-alias-aliasname

Type:string
targetKeyId

AWS::KMS::Alias.TargetKeyId

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-alias.html#cfn-kms-alias-targetkeyid

Type:string

CfnKey

class @aws-cdk/aws-kms.CfnKey(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.CfnKey;
const { CfnKey } = require('@aws-cdk/aws-kms');
import { CfnKey } from '@aws-cdk/aws-kms';
Extends:

@aws-cdk/cdk.Resource

Parameters:
renderProperties(properties) → string => any

Overrides @aws-cdk/cdk.Resource.renderProperties()

Protected method

Parameters:properties (any) –
Return type:string => any
resourceTypeName

The CloudFormation resource type name for this resource class.

Type:string (readonly) (static)
keyArn
Type:string (readonly)
keyId
Type:string (readonly)
propertyOverrides
Type:CfnKeyProps (readonly)
tags

The TagManager handles setting, removing and formatting tags

Tags should be managed either passing them as properties during

initiation or by calling methods on this object. If both techniques are

used only the tags from the TagManager will be used. Tag (aspect)

will use the manager.

Type:@aws-cdk/cdk.TagManager (readonly)
toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)
ref

Inherited from @aws-cdk/cdk.Referenceable

Returns a token to a CloudFormation { Ref } that references this entity based on it’s logical ID.

Type:string (readonly)
addDeletionOverride(path)

Inherited from @aws-cdk/cdk.Resource

Syntactic sugar for addOverride(path, undefined).

Parameters:path (string) – The path of the value to delete
addDependsOn(resource)

Inherited from @aws-cdk/cdk.Resource

Indicates that this resource depends on another resource and cannot be provisioned

unless the other resource has been successfully provisioned.

Parameters:resource (@aws-cdk/cdk.Resource) –
addOverride(path, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to the synthesized CloudFormation resource. To add a

property override, either use addPropertyOverride or prefix path with

“Properties.” (i.e. Properties.TopicName).

Parameters:
  • path (string) – The path of the property, you can use dot notation to override values in complex types. Any intermdediate keys will be created as needed.
  • value (any) – The value. Could be primitive or complex.
addPropertyDeletionOverride(propertyPath)

Inherited from @aws-cdk/cdk.Resource

Adds an override that deletes the value of a property from the resource definition.

Parameters:propertyPath (string) – The path to the property.
addPropertyOverride(propertyPath, value)

Inherited from @aws-cdk/cdk.Resource

Adds an override to a resource property.

Syntactic sugar for addOverride(“Properties.<…>”, value).

Parameters:
  • propertyPath (string) – The path of the property
  • value (any) – The value
getAtt(attributeName) → @aws-cdk/cdk.CfnReference

Inherited from @aws-cdk/cdk.Resource

Returns a token for an runtime attribute of this resource.

Ideally, use generated attribute accessors (e.g. resource.arn), but this can be used for future compatibility

in case there is no generated attribute.

Parameters:attributeName (string) – The name of the attribute.
Return type:@aws-cdk/cdk.CfnReference
toCloudFormation() → json

Inherited from @aws-cdk/cdk.Resource

Emits CloudFormation for this resource.

Return type:json
options

Inherited from @aws-cdk/cdk.Resource

Options for this resource, such as condition, update policy etc.

Type:@aws-cdk/cdk.ResourceOptions (readonly)
properties

Inherited from @aws-cdk/cdk.Resource

AWS resource properties.

This object is rendered via a call to “renderProperties(this.properties)”.

Protected property

Type:any (readonly)
resourceType

Inherited from @aws-cdk/cdk.Resource

AWS resource type.

Type:string (readonly)
untypedPropertyOverrides

Inherited from @aws-cdk/cdk.Resource

AWS resource property overrides.

During synthesis, the method “renderProperties(this.overrides)” is called

with this object, and merged on top of the output of

“renderProperties(this.properties)”.

Derived classes should expose a strongly-typed version of this object as

a public property called propertyOverrides.

Protected property

Type:any (readonly)
overrideLogicalId(newLogicalId)

Inherited from @aws-cdk/cdk.StackElement

Overrides the auto-generated logical ID with a specific ID.

Parameters:newLogicalId (string) – The new logical ID to use for this stack element.
prepare()

Inherited from @aws-cdk/cdk.StackElement

Automatically detect references in this StackElement

Protected method

creationStackTrace

Inherited from @aws-cdk/cdk.StackElement

Type:string[] (readonly)
logicalId

Inherited from @aws-cdk/cdk.StackElement

The logical ID for this CloudFormation stack element. The logical ID of the element

is calculated from the path of the resource node in the construct tree.

To override this value, use overrideLogicalId(newLogicalId).

Type:string (readonly)
stackPath

Inherited from @aws-cdk/cdk.StackElement

Return the path with respect to the stack

Type:string (readonly)

CfnKeyProps (interface)

class @aws-cdk/aws-kms.CfnKeyProps

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.CfnKeyProps;
// CfnKeyProps is an interface
import { CfnKeyProps } from '@aws-cdk/aws-kms';
keyPolicy

AWS::KMS::Key.KeyPolicy

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keypolicy

Type:json or @aws-cdk/cdk.Token
description

AWS::KMS::Key.Description

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-description

Type:string (optional)
enabled

AWS::KMS::Key.Enabled

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-enabled

Type:boolean or @aws-cdk/cdk.Token (optional)
enableKeyRotation

AWS::KMS::Key.EnableKeyRotation

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-enablekeyrotation

Type:boolean or @aws-cdk/cdk.Token (optional)
keyUsage

AWS::KMS::Key.KeyUsage

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-keyusage

Type:string (optional)
pendingWindowInDays

AWS::KMS::Key.PendingWindowInDays

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-pendingwindowindays

Type:number or @aws-cdk/cdk.Token (optional)
tags

AWS::KMS::Key.Tags

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-tags

Type:@aws-cdk/cdk.Token or (@aws-cdk/cdk.Token or @aws-cdk/cdk.CfnTag)[] (optional)

EncryptionKey

class @aws-cdk/aws-kms.EncryptionKey(scope, id[, props])

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKey;
const { EncryptionKey } = require('@aws-cdk/aws-kms');
import { EncryptionKey } from '@aws-cdk/aws-kms';

Defines a KMS key.

Extends:

EncryptionKeyBase

Parameters:
static import(scope, id, props) → @aws-cdk/aws-kms.IEncryptionKey

Defines an imported encryption key.

ref can be obtained either via a call to key.export() or using

literals.

For example:

const keyAttr = key.export();

const keyRef1 = EncryptionKey.import(this, ‘MyImportedKey1’, keyAttr);

const keyRef2 = EncryptionKey.import(this, ‘MyImportedKey2’, {

keyArn: new KeyArn(‘arn:aws:kms:…’)

});

Parameters:
Return type:

IEncryptionKey

export() → @aws-cdk/aws-kms.EncryptionKeyImportProps

Implements @aws-cdk/aws-kms.EncryptionKeyBase.export()

Exports this key from the current stack.

Returns:a key ref which can be used in a call to EncryptionKey.import(ref).
Return type:EncryptionKeyImportProps
keyArn

Implements @aws-cdk/aws-kms.EncryptionKeyBase.keyArn()

The ARN of the key.

Type:string (readonly)
policy

Implements @aws-cdk/aws-kms.EncryptionKeyBase.policy()

Optional policy document that represents the resource policy of this key.

If specified, addToResourcePolicy can be used to edit this policy.

Otherwise this method will no-op.

Protected property

Type:@aws-cdk/aws-iam.PolicyDocument (optional) (readonly)
addAlias(alias) → @aws-cdk/aws-kms.EncryptionKeyAlias

Inherited from @aws-cdk/aws-kms.EncryptionKeyBase

Defines a new alias for the key.

Parameters:alias (string) –
Return type:EncryptionKeyAlias
addToResourcePolicy(statement[, allowNoOp])

Inherited from @aws-cdk/aws-kms.EncryptionKeyBase

Adds a statement to the KMS key resource policy.

Parameters:
  • statement (@aws-cdk/aws-iam.PolicyStatement) – The policy statement to add
  • allowNoOp (boolean (optional)) – If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

EncryptionKeyAlias

class @aws-cdk/aws-kms.EncryptionKeyAlias(scope, id, props)

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKeyAlias;
const { EncryptionKeyAlias } = require('@aws-cdk/aws-kms');
import { EncryptionKeyAlias } from '@aws-cdk/aws-kms';

Defines a display name for a customer master key (CMK) in AWS Key Management

Service (AWS KMS). Using an alias to refer to a key can help you simplify key

management. For example, when rotating keys, you can just update the alias

mapping instead of tracking and changing key IDs. For more information, see

Working with Aliases in the AWS Key Management Service Developer Guide.

You can also add an alias for a key by calling key.addAlias(alias).

Extends:

@aws-cdk/cdk.Construct

Parameters:
aliasName

The name of the alias.

Type:string
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

EncryptionKeyAliasProps (interface)

class @aws-cdk/aws-kms.EncryptionKeyAliasProps

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKeyAliasProps;
// EncryptionKeyAliasProps is an interface
import { EncryptionKeyAliasProps } from '@aws-cdk/aws-kms';
alias

The name of the alias. The name must start with alias followed by a

forward slash, such as alias/. You can’t specify aliases that begin with

alias/AWS. These aliases are reserved.

Type:string
key

The ID of the key for which you are creating the alias. Specify the key’s

globally unique identifier or Amazon Resource Name (ARN). You can’t

specify another alias.

Type:IEncryptionKey

EncryptionKeyBase

class @aws-cdk/aws-kms.EncryptionKeyBase(scope, id)

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKeyBase;
const { EncryptionKeyBase } = require('@aws-cdk/aws-kms');
import { EncryptionKeyBase } from '@aws-cdk/aws-kms';
Extends:

@aws-cdk/cdk.Construct

Implements:

IEncryptionKey

Abstract:

Yes

Parameters:
  • scope (@aws-cdk/cdk.Construct) – The scope in which to define this construct
  • id (string) – The scoped construct ID. Must be unique amongst siblings. If the ID includes a path separator (/), then it will be replaced by double dash .
addAlias(alias) → @aws-cdk/aws-kms.EncryptionKeyAlias

Implements @aws-cdk/aws-kms.IEncryptionKey.addAlias()

Defines a new alias for the key.

Parameters:alias (string) –
Return type:EncryptionKeyAlias
addToResourcePolicy(statement[, allowNoOp])

Implements @aws-cdk/aws-kms.IEncryptionKey.addToResourcePolicy()

Adds a statement to the KMS key resource policy.

Parameters:
  • statement (@aws-cdk/aws-iam.PolicyStatement) – The policy statement to add
  • allowNoOp (boolean (optional)) – If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
export() → @aws-cdk/aws-kms.EncryptionKeyImportProps

Implements @aws-cdk/aws-kms.IEncryptionKey.export()

Exports this key from the current stack.

Return type:EncryptionKeyImportProps
Abstract:Yes
keyArn

Implements @aws-cdk/aws-kms.IEncryptionKey.keyArn()

The ARN of the key.

Type:string (readonly) (abstract)
policy

Optional policy document that represents the resource policy of this key.

If specified, addToResourcePolicy can be used to edit this policy.

Otherwise this method will no-op.

Protected property

Type:@aws-cdk/aws-iam.PolicyDocument (optional) (readonly) (abstract)
prepare()

Inherited from @aws-cdk/cdk.Construct

Perform final modifications before synthesis

This method can be implemented by derived constructs in order to perform

final changes before synthesis. prepare() will be called after child

constructs have been prepared.

This is an advanced framework feature. Only use this if you

understand the implications.

Protected method

toString() → string

Inherited from @aws-cdk/cdk.Construct

Returns a string representation of this construct.

Return type:string
validate() → string[]

Inherited from @aws-cdk/cdk.Construct

Validate the current construct.

This method can be implemented by derived constructs in order to perform

validation logic. It is called on all constructs before synthesis.

Protected method

Returns:An array of validation error messages, or an empty array if there the construct is valid.
Return type:string[]
dependencyRoots

Inherited from @aws-cdk/cdk.Construct

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)
node

Inherited from @aws-cdk/cdk.Construct

Construct node.

Type:@aws-cdk/cdk.ConstructNode (readonly)

EncryptionKeyImportProps (interface)

class @aws-cdk/aws-kms.EncryptionKeyImportProps

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKeyImportProps;
// EncryptionKeyImportProps is an interface
import { EncryptionKeyImportProps } from '@aws-cdk/aws-kms';
keyArn

The ARN of the external KMS key.

Type:string

EncryptionKeyProps (interface)

class @aws-cdk/aws-kms.EncryptionKeyProps

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.EncryptionKeyProps;
// EncryptionKeyProps is an interface
import { EncryptionKeyProps } from '@aws-cdk/aws-kms';

Construction properties for a KMS Key object

description

A description of the key. Use a description that helps your users decide

whether the key is appropriate for a particular task.

Type:string (optional)
enabled

Indicates whether the key is available for use.

Type:boolean (optional)
Default:Key is enabled
enableKeyRotation

Indicates whether AWS KMS rotates the key.

Type:boolean (optional)
Default:false
policy

Custom policy document to attach to the KMS key.

Type:@aws-cdk/aws-iam.PolicyDocument (optional)
Default:A policy document with permissions for the account root to

administer the key will be created.

@aws-cdk/aws-kms.retain

Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to

retain access to data that was encrypted with a key that is being retired.

Type:boolean (optional)
Default:true

IEncryptionKey (interface)

class @aws-cdk/aws-kms.IEncryptionKey

Language-specific names:

using Amazon.CDK.AWS.KMS;
import software.amazon.awscdk.services.kms.IEncryptionKey;
// IEncryptionKey is an interface
import { IEncryptionKey } from '@aws-cdk/aws-kms';
Extends:@aws-cdk/cdk.IConstruct
keyArn

The ARN of the key.

Type:string (readonly)
addAlias(alias) → @aws-cdk/aws-kms.EncryptionKeyAlias

Defines a new alias for the key.

Parameters:alias (string) –
Return type:EncryptionKeyAlias
Abstract:Yes
addToResourcePolicy(statement[, allowNoOp])

Adds a statement to the KMS key resource policy.

Parameters:
  • statement (@aws-cdk/aws-iam.PolicyStatement) – The policy statement to add
  • allowNoOp (boolean (optional)) – If this is set to false and there is no policy defined (i.e. external key), the operation will fail. Otherwise, it will no-op.
Abstract:

Yes

export() → @aws-cdk/aws-kms.EncryptionKeyImportProps

Exports this key from the current stack.

Returns:a key ref which can be used in a call to EncryptionKey.import(ref).
Return type:EncryptionKeyImportProps
Abstract:Yes
node

Inherited from @aws-cdk/cdk.IConstruct

The construct node in the scope tree.

Type:@aws-cdk/cdk.ConstructNode (readonly)
dependencyRoots

Inherited from @aws-cdk/cdk.IDependable

The set of constructs that form the root of this dependable

All resources under all returned constructs are included in the ordering

dependency.

Type:@aws-cdk/cdk.IConstruct[] (readonly)