Let us take a closer look at the cloudformation aws KMS key. At Bobcares our AWS support services can give you a detailed note on the KMS key.

AWS KMS keys CloudFormation

The fundamental resource in AWS KMS is AWS KMS keys (KMS keys). A KMS key can be used to encrypt, decrypt, and re-encrypt data. It can also create data keys for usage outside of AWS KMS.

We will often utilize symmetric encryption KMS keys, but we can also produce and use asymmetric KMS keys for encryption or signing, as well as generate and validate HMAC tags using HMAC KMS keys.

A logical representation of a cryptographic key is an AWS KMS key. Metadata of a KMS key includes the key ID, key specification, key use, creation date, description, and key status. Most crucially, it includes a reference to the key material used when performing cryptographic operations with the KMS key.

AWS KMS allows us to generate KMS keys. Symmetric KMS keys and asymmetric KMS private keys are never left unprotected in AWS KMS. We must utilize AWS KMS to use or manage the KMS keys. See Managing keys for information on creating and managing KMS keys.

AWS KMS generates the key material for a KMS key by default. We are unable to extract, export, see, or handle this critical material. The public key of an asymmetric key pair is the lone exception, which we may export for usage outside of AWS.

Furthermore, we cannot delete this key material; instead, we must delete the KMS key. However, in the AWS CloudHSM cluster linked with an AWS KMS custom key store, we may import our own key material into a KMS key or develop the key material for a KMS key.

Regions

AWS KMS CloudFormation resources are accessible in all Regions that support AWS KMS and AWS CloudFormation. We may make advantage of AWS: KMS:: Key resource for creating and managing all KMS key types supported in a Region.

Syntax

Use the following syntax to declare this object in the AWS CloudFormation template:

JSON

{
"Type" : "AWS::KMS::Key",
"Properties" : { "
Description" : String,
"Enabled" : Boolean,
"EnableKeyRotation" : Boolean,
"KeyPolicy" : Json,
"KeySpec" : String,
"KeyUsage" : String,
"MultiRegion" : Boolean,
"PendingWindowInDays" : Integer,
"Tags" : [ Tag, ... ]
}
}

YAML

Type: AWS::KMS::Key
Properties:
Description: String
Enabled: Boolean
EnableKeyRotation: Boolean
KeyPolicy: Json
KeySpec: String
KeyUsage: String
MultiRegion: Boolean
PendingWindowInDays: Integer
Tags:
- Tag

Properties

Description

The KMS key is described in detail. Use a description that differentiates this KMS key from others in the account, such as its intended use.

Required: No
Type: String
Minimum: 0
Maximum: 8192
Update requires: No interruptionEnabled

This determines whether or not the KMS key is enabled. KMS keys that have been disabled cannot be utilized in cryptographic operations.

The key state of the KMS key is Enabled when Enabled is true. When Enabled is set to false, the KMS key’s key state is Disabled. True is the default setting.

Actions conducted outside of CloudFormation, such as conducting the EnableKey, DisableKey, or ScheduleKeyDeletion procedures, may have an impact on the actual key status of the KMS key.

KeyPolicy

The key policy permits the usage of the KMS key. The main policy must adhere to the following guidelines.

• The key policy must allow the caller to make a subsequent PutKeyPolicy request on the KMS key. This reduces the risk that the KMS key becomes unmanageable.
• Each significant policy statement must include one or more principles. The key policy principles must exist and be exposed to AWS KMS. Because a new AWS principle may not be immediately available to AWS KMS, we may need to impose a delay before putting the new principal in a key policy when we establish it.

[Need assistance with similar queries? We are here to help]

Conclusion

To conclude we have now gone through cloudformation AWS KMS Key. We also learned how to set it up with the support of our AWS Support services.