AWS CloudFormation
User Guide (API Version 2010-05-15)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

AWS::KMS::Key

AWS::KMS::Key 资源在 AWS Key Management Service (AWS KMS) 中创建一个客户主密钥 (CMK)。用户(客户)可以使用此主密钥加密存储在与 AWS KMS 集成的 AWS 服务中的数据或其应用程序中的数据。有关更多信息,请参阅什么是 AWS Key Management Service?(在 AWS Key Management Service Developer Guide 中)。

语法

要在 AWS CloudFormation 模板中声明此实体,请使用以下语法:

JSON

{ "Type" : "AWS::KMS::Key", "Properties" : { "Description" : String, "Enabled" : Boolean, "EnableKeyRotation" : Boolean, "KeyPolicy" : JSON object } }

YAML

Type: "AWS::KMS::Key" Properties: Description: String Enabled: Boolean EnableKeyRotation: Boolean KeyPolicy: JSON object

属性

Description

密钥的描述。使用描述帮助您的用户决定此密钥是否适合特定的任务。

Required: No

Type: String

更新要求无需中断

Enabled

指示此密钥是否可用。默认情况下,AWS CloudFormation 将此值设为 true

Required: No

Type: Boolean

更新要求无需中断

EnableKeyRotation

指示 AWS KMS 是否轮换此密钥。默认情况下,AWS CloudFormation 将此值设为 false

Required: No

Type: Boolean

更新要求无需中断

KeyPolicy

要附加到此密钥的 AWS KMS 密钥策略。使用策略指定谁有权使用此密钥以及他们可以执行哪些操作。有关更多信息,请参阅 AWS Key Management Service Developer Guide 中的密钥策略

Required: Yes

Type: JSON object

更新要求无需中断

返回值

Ref

当向 Ref 内部函数提供此资源的逻辑 ID 时,它会返回密钥 ID,如 123ab456-a4c2-44cb-95fd-b781f32fbb37

有关使用 Ref 功能的更多信息,请参阅参考

Fn::GetAtt

Fn::GetAtt 返回一个此类型指定属性的值。以下为可用属性和示例返回值。

Arn

AWS KMS 密钥的 ARN,例如 arn:aws:kms:us-west-2:123456789012:key/12a34567-8c90-1defg-af84-0bf06c1747f3

有关使用 Fn::GetAtt 的更多信息,请参见 Fn::GetAtt

示例

下面的示例创建一个自定义 CMK,以允许 IAM 用户 Alice 管理此密钥,并允许 Bob 使用此密钥加密和解密数据。

JSON

"myKey" : { "Type" : "AWS::KMS::Key", "Properties" : { "Description" : "A sample key", "KeyPolicy" : { "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Allow administration of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Alice" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/Bob" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } ] } } }

YAML

myKey: Type: "AWS::KMS::Key" Properties: Description: "A sample key" KeyPolicy: Version: "2012-10-17" Id: "key-default-1" Statement: - Sid: "Allow administration of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::123456789012:user/Alice" Action: - "kms:Create*" - "kms:Describe*" - "kms:Enable*" - "kms:List*" - "kms:Put*" - "kms:Update*" - "kms:Revoke*" - "kms:Disable*" - "kms:Get*" - "kms:Delete*" - "kms:ScheduleKeyDeletion" - "kms:CancelKeyDeletion" Resource: "*" - Sid: "Allow use of the key" Effect: "Allow" Principal: AWS: "arn:aws:iam::123456789012:user/Bob" Action: - "kms:Encrypt" - "kms:Decrypt" - "kms:ReEncrypt*" - "kms:GenerateDataKey*" - "kms:DescribeKey" Resource: "*"

本页内容: