RotationsListEntry - Amazon Key Management Service
ContentsSee Also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

RotationsListEntry

Each entry contains information about one of the key materials associated with a KMS key.

Contents

Note

In the following list, the required parameters are described first.

ExpirationModel

Indicates if the key material is configured to automatically expire. There are two possible values for this field: KEY_MATERIAL_EXPIRES and KEY_MATERIAL_DOES_NOT_EXPIRE. For any key material that expires, the expiration date and time is indicated in ValidTo. This field is only present for symmetric encryption KMS keys with EXTERNAL origin.

Type: String

Valid Values: KEY_MATERIAL_EXPIRES | KEY_MATERIAL_DOES_NOT_EXPIRE

Required: No

ImportState

Indicates if the key material is currently imported into Amazon KMS. It has two possible values: IMPORTED or PENDING_IMPORT. This field is only present for symmetric encryption KMS keys with EXTERNAL origin.

Type: String

Valid Values: IMPORTED | PENDING_IMPORT

Required: No

KeyId

Unique identifier of the key.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

KeyMaterialDescription

User-specified description of the key material. This field is only present for symmetric encryption KMS keys with EXTERNAL origin.

Type: String

Length Constraints: Minimum length of 0. Maximum length of 256.

Pattern: ^[a-zA-Z0-9:/_\s.-]+$

Required: No

KeyMaterialId

Unique identifier of the key material.

Type: String

Length Constraints: Fixed length of 64.

Pattern: ^[a-f0-9]+$

Required: No

KeyMaterialState

There are three possible values for this field: CURRENT, NON_CURRENT and PENDING_ROTATION. Amazon KMS uses CURRENT key material for both encryption and decryption and NON_CURRENT key material only for decryption. PENDING_ROTATION identifies key material that has been imported for on-demand key rotation but the rotation hasn't completed. Key material in PENDING_ROTATION is not permanently associated with the KMS key. You can delete this key material and import different key material in its place. The PENDING_ROTATION value is only used in symmetric encryption keys with imported key material. The other values, CURRENT and NON_CURRENT, are used for all KMS keys that support automatic or on-demand key rotation.

Type: String

Valid Values: NON_CURRENT | CURRENT | PENDING_ROTATION

Required: No

RotationDate

Date and time that the key material rotation completed. Formatted as Unix time. This field is not present for the first key material or an imported key material in PENDING_ROTATION state.

Type: Timestamp

Required: No

RotationType

Identifies whether the key material rotation was a scheduled automatic rotation or an on-demand rotation. This field is not present for the first key material or an imported key material in PENDING_ROTATION state.

Type: String

Valid Values: AUTOMATIC | ON_DEMAND

Required: No

ValidTo

Date and time at which the key material expires. This field is only present for symmetric encryption KMS keys with EXTERNAL origin in rotation list entries with an ExpirationModel value of KEY_MATERIAL_EXPIRES.

Type: Timestamp

Required: No

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: