密钥类型引用 - Amazon Key Management Service
密钥类型表特殊功能表
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

密钥类型引用

Amazon KMS 支持不同类型的 KMS 密钥的不同功能。例如,只能使用对称加密 KMS 密钥生成对称数据密钥非对称数据密钥对。此外,只有对称加密 KMS 密钥支持导入密钥材料自动密钥轮换,并且在自定义密钥存储中只能创建对称加密 KMS 密钥。

此参考包括两个表。

  • 密钥类型表列出了对称加密 KMS 密钥、非对称 KMS 密钥和 HMAC KMS 密钥有效的 Amazon KMS 操作。

  • 特殊功能表列出了对多区域 KMS 密钥、包含导入的密钥材料的 KMS 密钥,以及自定义密钥存储中的 KMS 密钥有效的 Amazon KMS 操作。

密钥类型表

您可能需要水平或垂直滚动才能查看此表中的所有数据。

Amazon KMS API 操作 对称加密 KMS 密钥 HMAC KMS 密钥 非对称 KMS 密钥 (ENCRYPT_DECRYPT) 非对称 KMS 密钥 (SIGN_VERIFY) 非对称 KMS 密钥(KEY_AGREEMENT)

CancelKeyDeletion

支持

CreateAlias

CreateGrant

CreateKey

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

支持

DeriveSharedSecret

DescribeKey

DisableKey

DisableKeyRotation

仅对带有密钥材料 (isAWS_KMS) Origin 的 KMS 密 Amazon KMS 钥有效。

EnableKey

EnableKeyRotation

仅对带有密钥材料 (isAWS_KMS) Origin 的 KMS 密 Amazon KMS 钥有效。

Encrypt

GenerateDataKey

GenerateDataKeyPair

生成受对称加密 KMS 密钥保护的非对称数据密钥对。

在自定义密钥存储中的 KMS 密钥上无效。

GenerateDataKeyPairWithoutPlaintext

生成受对称加密 KMS 密钥保护的非对称数据密钥对。

在自定义密钥存储中的 KMS 密钥上无效。

GenerateDataKeyWithoutPlaintext

GenerateMac

GetKeyPolicy

GetKeyRotationStatus

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

GetParametersForImport

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

支持

GetPublicKey

ImportKeyMaterial

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

支持

ListAliases

ListGrants

ListKeyPolicies

ListKeyRotations

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

ListResourceTags

支持

ListRetirableGrants

PutKeyPolicy

ReEncrypt

ReplicateKey

- 仅在多区域密钥上有效

支持

RetireGrant

RevokeGrant

RotateKeyOnDemand

仅对客户管理的对称加密 KMS 密钥AWS_KMSEXTERNAL来源有效。

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

当前 KMS 密钥和新的 KMS 密钥必须为相同类型(要么都是对称的,要么都是非对称的,要么都是 HMAC),并且它们必须用于相同的密钥用途

 支持

UpdateKeyDescription

UpdateReplicaRegion

- 仅在多区域密钥上有效

支持

Verify

VerifyMac

特殊功能表

下表显示了每种类型的特殊用途密钥支持的 Amazon KMS API 操作。

在阅读此表时,请注意以下交互:

  • 多区域密钥

    • 多区域密钥可以是对称加密 KMS 密钥、非对称 KMS 密钥、HMAC KMS 密钥,以及包含导入的密钥材料的 KMS 密钥。

    • 您不能在自定义密钥存储中创建多区域密钥。

  • 导入的密钥材料

    • 您可以导入对称加密 KMS 密钥、非对称 KMS 密钥和 HMAC KMS 密钥的密钥材料。

    • 您可创建具有导入密钥材料的多区域密钥

    • 您不能在自定义密钥存储中使用导入的密钥材料创建密钥。

    • 带有导入密钥材料的 KMS 密钥不支持自动密钥轮换 (EnableKeyRotationDisableKeyRotation)。

    • 使用导入的密钥材料的单区域、对称加密 KMS 密钥支持按需密钥轮换 (RotateKeyOnDemand)。

  • 自定义密钥存储

    • 自定义密钥存储仅支持对称加密 KMS 密钥。

    • 自定义密钥存储中的 KMS 密钥不支持对非对称密钥对(GenerateDataKeyPairGenerateDataKeyPairWithoutPlaintext)进行对称操作。

    • 自定义密钥存储中的 KMS 密钥不支持自动密钥转换 (EnableKeyRotationDisableKeyRotation)。

    • 您不能在自定义密钥存储中创建多区域密钥。

您可能需要水平或垂直滚动才能查看此表中的所有数据。

Amazon KMS API 操作 多区域密钥 导入的密钥材料 自定义密钥存储中的 KMS 密钥

CancelKeyDeletion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

CreateAlias

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

CreateGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.
CreateKey

您可以使用 CreateKey 创建多区域主键、包含导入的密钥材料的 KMS 密钥,或自定义密钥存储中的 KMS 密钥。若要创建多区域副本密钥,请使用 ReplicateKey

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

Decrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DeleteAlias

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DeleteImportedKeyMaterial

Green checkmark icon indicating success or completion.

仅对包含导入的密钥材料的密钥有效(OriginEXTERNAL

 Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

DeriveSharedSecret

Green checkmark icon indicating success or completion.

仅在 KeyUsage is 时有效KEY_AGREEMENT)

Green checkmark icon indicating success or completion.

仅在 KeyUsage is 时有效KEY_AGREEMENT)

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

DescribeKey

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DisableKey

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DisableKeyRotation

 Green checkmark icon indicating success or completion.

仅对带有密钥材料 (OriginisAWS_KMS) 的对称加密密 Amazon KMS 钥有效。

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

EnableKey

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

EnableKeyRotation

Green checkmark icon indicating success or completion.

仅对带有密钥材料 (OriginisAWS_KMS) 的对称加密密 Amazon KMS 钥有效。

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Encrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GenerateDataKey

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GenerateDataKeyPair

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GenerateDataKeyPairWithoutPlaintext

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GenerateDataKeyWithoutPlaintext

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.
GenerateMac

仅在 HMAC KMS 密钥上有效

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetKeyPolicy

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GetKeyRotationStatus

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

KeyRotationEnabled 将始终为 false。)

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetParametersForImport

Green checkmark icon indicating success or completion.

仅对包含已导入的密钥材料的密钥有效(OriginEXTERNAL)。

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetPublicKey

仅对非对称 KMS 密钥有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ImportKeyMaterial

Green checkmark icon indicating success or completion.

仅对包含已导入的密钥材料的密钥有效(OriginEXTERNAL)。

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ListAliases

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListGrants

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListKeyPolicies

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListKeyRotations

Green checkmark icon indicating success or completion.

仅对具有AWS_KMS来源的对称加密密钥有效。

Green checkmark icon indicating success or completion.

仅对单区域对称加密密钥有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ListResourceTags

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListRetirableGrants

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

PutKeyPolicy

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ReEncrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ReplicateKey

Green checkmark icon indicating success or completion.

仅在多区域主键上有效。

 Green checkmark icon indicating success or completion.

仅在多区域主键上有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

RetireGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

RevokeGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

RotateKeyOnDemand

Green checkmark icon indicating success or completion.

仅对具有AWS_KMS来源的对称加密密钥有效。

Green checkmark icon indicating success or completion.

仅对单区域对称加密密钥有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ScheduleKeyDeletion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

Sign

仅当 KeyUsageSIGN_VERIFY 时才有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

TagResource

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UntagResource

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateAlias

– 当前 KMS 密钥和新的 KMS 密钥必须为相同类型(要么都是对称的,要么都是非对称的,要么都是 HMAC),并且它们必须用于相同的密钥用途

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateKeyDescription

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateReplicaRegion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

仅在多区域密钥上有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Verify

仅当 KeyUsageSIGN_VERIFY 时才有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.
VerifyMac

仅在 HMAC KMS 密钥上有效

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.