/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include namespace Aws { namespace Http { class HttpClient; class HttpClientFactory; } // namespace Http namespace Utils { template< typename R, typename E> class Outcome; namespace Threading { class Executor; } // namespace Threading } // namespace Utils namespace Auth { class AWSCredentials; class AWSCredentialsProvider; } // namespace Auth namespace Client { class RetryStrategy; } // namespace Client namespace KMS { namespace Model { class CancelKeyDeletionRequest; class ConnectCustomKeyStoreRequest; class CreateAliasRequest; class CreateCustomKeyStoreRequest; class CreateGrantRequest; class CreateKeyRequest; class DecryptRequest; class DeleteAliasRequest; class DeleteCustomKeyStoreRequest; class DeleteImportedKeyMaterialRequest; class DescribeCustomKeyStoresRequest; class DescribeKeyRequest; class DisableKeyRequest; class DisableKeyRotationRequest; class DisconnectCustomKeyStoreRequest; class EnableKeyRequest; class EnableKeyRotationRequest; class EncryptRequest; class GenerateDataKeyRequest; class GenerateDataKeyPairRequest; class GenerateDataKeyPairWithoutPlaintextRequest; class GenerateDataKeyWithoutPlaintextRequest; class GenerateRandomRequest; class GetKeyPolicyRequest; class GetKeyRotationStatusRequest; class GetParametersForImportRequest; class GetPublicKeyRequest; class ImportKeyMaterialRequest; class ListAliasesRequest; class ListGrantsRequest; class ListKeyPoliciesRequest; class ListKeysRequest; class ListResourceTagsRequest; class ListRetirableGrantsRequest; class PutKeyPolicyRequest; class ReEncryptRequest; class RetireGrantRequest; class RevokeGrantRequest; class ScheduleKeyDeletionRequest; class SignRequest; class TagResourceRequest; class UntagResourceRequest; class UpdateAliasRequest; class UpdateCustomKeyStoreRequest; class UpdateKeyDescriptionRequest; class VerifyRequest; typedef Aws::Utils::Outcome CancelKeyDeletionOutcome; typedef Aws::Utils::Outcome ConnectCustomKeyStoreOutcome; typedef Aws::Utils::Outcome CreateAliasOutcome; typedef Aws::Utils::Outcome CreateCustomKeyStoreOutcome; typedef Aws::Utils::Outcome CreateGrantOutcome; typedef Aws::Utils::Outcome CreateKeyOutcome; typedef Aws::Utils::Outcome DecryptOutcome; typedef Aws::Utils::Outcome DeleteAliasOutcome; typedef Aws::Utils::Outcome DeleteCustomKeyStoreOutcome; typedef Aws::Utils::Outcome DeleteImportedKeyMaterialOutcome; typedef Aws::Utils::Outcome DescribeCustomKeyStoresOutcome; typedef Aws::Utils::Outcome DescribeKeyOutcome; typedef Aws::Utils::Outcome DisableKeyOutcome; typedef Aws::Utils::Outcome DisableKeyRotationOutcome; typedef Aws::Utils::Outcome DisconnectCustomKeyStoreOutcome; typedef Aws::Utils::Outcome EnableKeyOutcome; typedef Aws::Utils::Outcome EnableKeyRotationOutcome; typedef Aws::Utils::Outcome EncryptOutcome; typedef Aws::Utils::Outcome GenerateDataKeyOutcome; typedef Aws::Utils::Outcome GenerateDataKeyPairOutcome; typedef Aws::Utils::Outcome GenerateDataKeyPairWithoutPlaintextOutcome; typedef Aws::Utils::Outcome GenerateDataKeyWithoutPlaintextOutcome; typedef Aws::Utils::Outcome GenerateRandomOutcome; typedef Aws::Utils::Outcome GetKeyPolicyOutcome; typedef Aws::Utils::Outcome GetKeyRotationStatusOutcome; typedef Aws::Utils::Outcome GetParametersForImportOutcome; typedef Aws::Utils::Outcome GetPublicKeyOutcome; typedef Aws::Utils::Outcome ImportKeyMaterialOutcome; typedef Aws::Utils::Outcome ListAliasesOutcome; typedef Aws::Utils::Outcome ListGrantsOutcome; typedef Aws::Utils::Outcome ListKeyPoliciesOutcome; typedef Aws::Utils::Outcome ListKeysOutcome; typedef Aws::Utils::Outcome ListResourceTagsOutcome; typedef Aws::Utils::Outcome ListRetirableGrantsOutcome; typedef Aws::Utils::Outcome PutKeyPolicyOutcome; typedef Aws::Utils::Outcome ReEncryptOutcome; typedef Aws::Utils::Outcome RetireGrantOutcome; typedef Aws::Utils::Outcome RevokeGrantOutcome; typedef Aws::Utils::Outcome ScheduleKeyDeletionOutcome; typedef Aws::Utils::Outcome SignOutcome; typedef Aws::Utils::Outcome TagResourceOutcome; typedef Aws::Utils::Outcome UntagResourceOutcome; typedef Aws::Utils::Outcome UpdateAliasOutcome; typedef Aws::Utils::Outcome UpdateCustomKeyStoreOutcome; typedef Aws::Utils::Outcome UpdateKeyDescriptionOutcome; typedef Aws::Utils::Outcome VerifyOutcome; typedef std::future CancelKeyDeletionOutcomeCallable; typedef std::future ConnectCustomKeyStoreOutcomeCallable; typedef std::future CreateAliasOutcomeCallable; typedef std::future CreateCustomKeyStoreOutcomeCallable; typedef std::future CreateGrantOutcomeCallable; typedef std::future CreateKeyOutcomeCallable; typedef std::future DecryptOutcomeCallable; typedef std::future DeleteAliasOutcomeCallable; typedef std::future DeleteCustomKeyStoreOutcomeCallable; typedef std::future DeleteImportedKeyMaterialOutcomeCallable; typedef std::future DescribeCustomKeyStoresOutcomeCallable; typedef std::future DescribeKeyOutcomeCallable; typedef std::future DisableKeyOutcomeCallable; typedef std::future DisableKeyRotationOutcomeCallable; typedef std::future DisconnectCustomKeyStoreOutcomeCallable; typedef std::future EnableKeyOutcomeCallable; typedef std::future EnableKeyRotationOutcomeCallable; typedef std::future EncryptOutcomeCallable; typedef std::future GenerateDataKeyOutcomeCallable; typedef std::future GenerateDataKeyPairOutcomeCallable; typedef std::future GenerateDataKeyPairWithoutPlaintextOutcomeCallable; typedef std::future GenerateDataKeyWithoutPlaintextOutcomeCallable; typedef std::future GenerateRandomOutcomeCallable; typedef std::future GetKeyPolicyOutcomeCallable; typedef std::future GetKeyRotationStatusOutcomeCallable; typedef std::future GetParametersForImportOutcomeCallable; typedef std::future GetPublicKeyOutcomeCallable; typedef std::future ImportKeyMaterialOutcomeCallable; typedef std::future ListAliasesOutcomeCallable; typedef std::future ListGrantsOutcomeCallable; typedef std::future ListKeyPoliciesOutcomeCallable; typedef std::future ListKeysOutcomeCallable; typedef std::future ListResourceTagsOutcomeCallable; typedef std::future ListRetirableGrantsOutcomeCallable; typedef std::future PutKeyPolicyOutcomeCallable; typedef std::future ReEncryptOutcomeCallable; typedef std::future RetireGrantOutcomeCallable; typedef std::future RevokeGrantOutcomeCallable; typedef std::future ScheduleKeyDeletionOutcomeCallable; typedef std::future SignOutcomeCallable; typedef std::future TagResourceOutcomeCallable; typedef std::future UntagResourceOutcomeCallable; typedef std::future UpdateAliasOutcomeCallable; typedef std::future UpdateCustomKeyStoreOutcomeCallable; typedef std::future UpdateKeyDescriptionOutcomeCallable; typedef std::future VerifyOutcomeCallable; } // namespace Model class KMSClient; typedef std::function&) > CancelKeyDeletionResponseReceivedHandler; typedef std::function&) > ConnectCustomKeyStoreResponseReceivedHandler; typedef std::function&) > CreateAliasResponseReceivedHandler; typedef std::function&) > CreateCustomKeyStoreResponseReceivedHandler; typedef std::function&) > CreateGrantResponseReceivedHandler; typedef std::function&) > CreateKeyResponseReceivedHandler; typedef std::function&) > DecryptResponseReceivedHandler; typedef std::function&) > DeleteAliasResponseReceivedHandler; typedef std::function&) > DeleteCustomKeyStoreResponseReceivedHandler; typedef std::function&) > DeleteImportedKeyMaterialResponseReceivedHandler; typedef std::function&) > DescribeCustomKeyStoresResponseReceivedHandler; typedef std::function&) > DescribeKeyResponseReceivedHandler; typedef std::function&) > DisableKeyResponseReceivedHandler; typedef std::function&) > DisableKeyRotationResponseReceivedHandler; typedef std::function&) > DisconnectCustomKeyStoreResponseReceivedHandler; typedef std::function&) > EnableKeyResponseReceivedHandler; typedef std::function&) > EnableKeyRotationResponseReceivedHandler; typedef std::function&) > EncryptResponseReceivedHandler; typedef std::function&) > GenerateDataKeyResponseReceivedHandler; typedef std::function&) > GenerateDataKeyPairResponseReceivedHandler; typedef std::function&) > GenerateDataKeyPairWithoutPlaintextResponseReceivedHandler; typedef std::function&) > GenerateDataKeyWithoutPlaintextResponseReceivedHandler; typedef std::function&) > GenerateRandomResponseReceivedHandler; typedef std::function&) > GetKeyPolicyResponseReceivedHandler; typedef std::function&) > GetKeyRotationStatusResponseReceivedHandler; typedef std::function&) > GetParametersForImportResponseReceivedHandler; typedef std::function&) > GetPublicKeyResponseReceivedHandler; typedef std::function&) > ImportKeyMaterialResponseReceivedHandler; typedef std::function&) > ListAliasesResponseReceivedHandler; typedef std::function&) > ListGrantsResponseReceivedHandler; typedef std::function&) > ListKeyPoliciesResponseReceivedHandler; typedef std::function&) > ListKeysResponseReceivedHandler; typedef std::function&) > ListResourceTagsResponseReceivedHandler; typedef std::function&) > ListRetirableGrantsResponseReceivedHandler; typedef std::function&) > PutKeyPolicyResponseReceivedHandler; typedef std::function&) > ReEncryptResponseReceivedHandler; typedef std::function&) > RetireGrantResponseReceivedHandler; typedef std::function&) > RevokeGrantResponseReceivedHandler; typedef std::function&) > ScheduleKeyDeletionResponseReceivedHandler; typedef std::function&) > SignResponseReceivedHandler; typedef std::function&) > TagResourceResponseReceivedHandler; typedef std::function&) > UntagResourceResponseReceivedHandler; typedef std::function&) > UpdateAliasResponseReceivedHandler; typedef std::function&) > UpdateCustomKeyStoreResponseReceivedHandler; typedef std::function&) > UpdateKeyDescriptionResponseReceivedHandler; typedef std::function&) > VerifyResponseReceivedHandler; /** * AWS Key Management Service

AWS Key Management Service * (AWS KMS) is an encryption and key management web service. This guide describes * the AWS KMS operations that you can call programmatically. For general * information about AWS KMS, see the AWS Key * Management Service Developer Guide .

AWS provides SDKs * that consist of libraries and sample code for various programming languages and * platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs provide a * convenient way to create programmatic access to AWS KMS and other AWS services. * For example, the SDKs take care of tasks such as signing requests (see below), * managing errors, and retrying requests automatically. For more information about * the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

*

We recommend that you use the AWS SDKs to make programmatic API calls * to AWS KMS.

Clients must support TLS (Transport Layer Security) 1.0. We * recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward * Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral * Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support * these modes.

Signing Requests

Requests must be signed by * using an access key ID and a secret access key. We strongly recommend that you * do not use your AWS account (root) access key ID and secret key for * everyday work with AWS KMS. Instead, use the access key ID and secret access key * for an IAM user. You can also use the AWS Security Token Service to generate * temporary security credentials that you can use to sign requests.

All AWS * KMS operations require Signature * Version 4.

Logging API Requests

AWS KMS supports AWS * CloudTrail, a service that logs AWS API calls and related events for your AWS * account and delivers them to an Amazon S3 bucket that you specify. By using the * information collected by CloudTrail, you can determine what requests were made * to AWS KMS, who made the request, when it was made, and so on. To learn more * about CloudTrail, including how to turn it on and find your log files, see the * AWS * CloudTrail User Guide.

Additional Resources

For more * information about credentials and request signing, see the following:

Commonly Used API Operations

Of the API operations * discussed in this guide, the following will prove the most useful for most * applications. You will likely perform operations other than these, such as * creating keys and assigning policies, by using the console.

*/ class AWS_KMS_API KMSClient : public Aws::Client::AWSJsonClient { public: typedef Aws::Client::AWSJsonClient BASECLASS; /** * Initializes client to use DefaultCredentialProviderChain, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ KMSClient(const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); /** * Initializes client to use SimpleAWSCredentialsProvider, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ KMSClient(const Aws::Auth::AWSCredentials& credentials, const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); /** * Initializes client to use specified credentials provider with specified client config. If http client factory is not supplied, * the default http client factory will be used */ KMSClient(const std::shared_ptr& credentialsProvider, const Aws::Client::ClientConfiguration& clientConfiguration = Aws::Client::ClientConfiguration()); virtual ~KMSClient(); /** *

Cancels the deletion of a customer master key (CMK). When this operation * succeeds, the key state of the CMK is Disabled. To enable the CMK, * use EnableKey. You cannot perform this operation on a CMK in a different * AWS account.

For more information about scheduling and canceling deletion * of a CMK, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::CancelKeyDeletionOutcome CancelKeyDeletion(const Model::CancelKeyDeletionRequest& request) const; /** *

Cancels the deletion of a customer master key (CMK). When this operation * succeeds, the key state of the CMK is Disabled. To enable the CMK, * use EnableKey. You cannot perform this operation on a CMK in a different * AWS account.

For more information about scheduling and canceling deletion * of a CMK, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CancelKeyDeletionOutcomeCallable CancelKeyDeletionCallable(const Model::CancelKeyDeletionRequest& request) const; /** *

Cancels the deletion of a customer master key (CMK). When this operation * succeeds, the key state of the CMK is Disabled. To enable the CMK, * use EnableKey. You cannot perform this operation on a CMK in a different * AWS account.

For more information about scheduling and canceling deletion * of a CMK, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CancelKeyDeletionAsync(const Model::CancelKeyDeletionRequest& request, const CancelKeyDeletionResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Connects or reconnects a custom * key store to its associated AWS CloudHSM cluster.

The custom key * store must be connected before you can create customer master keys (CMKs) in the * key store or use the CMKs it contains. You can disconnect and reconnect a custom * key store at any time.

To connect a custom key store, its associated AWS * CloudHSM cluster must have at least one active HSM. To get the number of active * HSMs in a cluster, use the DescribeClusters * operation. To add HSMs to the cluster, use the CreateHsm * operation. Also, the * kmsuser crypto user (CU) must not be logged into the cluster. * This prevents AWS KMS from using this account to log in.

The connection * process can take an extended amount of time to complete; up to 20 minutes. This * operation starts the connection process, but it does not wait for it to * complete. When it succeeds, this operation quickly returns an HTTP 200 response * and a JSON object with no properties. However, this response does not indicate * that the custom key store is connected. To get the connection state of the * custom key store, use the DescribeCustomKeyStores operation.

*

During the connection process, AWS KMS finds the AWS CloudHSM cluster that is * associated with the custom key store, creates the connection infrastructure, * connects to the cluster, logs into the AWS CloudHSM client as the * kmsuser CU, and rotates its password.

The * ConnectCustomKeyStore operation might fail for various reasons. To * find the reason, use the DescribeCustomKeyStores operation and see the * ConnectionErrorCode in the response. For help interpreting the * ConnectionErrorCode, see CustomKeyStoresListEntry.

To * fix the failure, use the DisconnectCustomKeyStore operation to disconnect * the custom key store, correct the error, use the UpdateCustomKeyStore * operation if necessary, and then use ConnectCustomKeyStore * again.

If you are having trouble connecting or disconnecting a custom key * store, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

*/ virtual Model::ConnectCustomKeyStoreOutcome ConnectCustomKeyStore(const Model::ConnectCustomKeyStoreRequest& request) const; /** *

Connects or reconnects a custom * key store to its associated AWS CloudHSM cluster.

The custom key * store must be connected before you can create customer master keys (CMKs) in the * key store or use the CMKs it contains. You can disconnect and reconnect a custom * key store at any time.

To connect a custom key store, its associated AWS * CloudHSM cluster must have at least one active HSM. To get the number of active * HSMs in a cluster, use the DescribeClusters * operation. To add HSMs to the cluster, use the CreateHsm * operation. Also, the * kmsuser crypto user (CU) must not be logged into the cluster. * This prevents AWS KMS from using this account to log in.

The connection * process can take an extended amount of time to complete; up to 20 minutes. This * operation starts the connection process, but it does not wait for it to * complete. When it succeeds, this operation quickly returns an HTTP 200 response * and a JSON object with no properties. However, this response does not indicate * that the custom key store is connected. To get the connection state of the * custom key store, use the DescribeCustomKeyStores operation.

*

During the connection process, AWS KMS finds the AWS CloudHSM cluster that is * associated with the custom key store, creates the connection infrastructure, * connects to the cluster, logs into the AWS CloudHSM client as the * kmsuser CU, and rotates its password.

The * ConnectCustomKeyStore operation might fail for various reasons. To * find the reason, use the DescribeCustomKeyStores operation and see the * ConnectionErrorCode in the response. For help interpreting the * ConnectionErrorCode, see CustomKeyStoresListEntry.

To * fix the failure, use the DisconnectCustomKeyStore operation to disconnect * the custom key store, correct the error, use the UpdateCustomKeyStore * operation if necessary, and then use ConnectCustomKeyStore * again.

If you are having trouble connecting or disconnecting a custom key * store, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ConnectCustomKeyStoreOutcomeCallable ConnectCustomKeyStoreCallable(const Model::ConnectCustomKeyStoreRequest& request) const; /** *

Connects or reconnects a custom * key store to its associated AWS CloudHSM cluster.

The custom key * store must be connected before you can create customer master keys (CMKs) in the * key store or use the CMKs it contains. You can disconnect and reconnect a custom * key store at any time.

To connect a custom key store, its associated AWS * CloudHSM cluster must have at least one active HSM. To get the number of active * HSMs in a cluster, use the DescribeClusters * operation. To add HSMs to the cluster, use the CreateHsm * operation. Also, the * kmsuser crypto user (CU) must not be logged into the cluster. * This prevents AWS KMS from using this account to log in.

The connection * process can take an extended amount of time to complete; up to 20 minutes. This * operation starts the connection process, but it does not wait for it to * complete. When it succeeds, this operation quickly returns an HTTP 200 response * and a JSON object with no properties. However, this response does not indicate * that the custom key store is connected. To get the connection state of the * custom key store, use the DescribeCustomKeyStores operation.

*

During the connection process, AWS KMS finds the AWS CloudHSM cluster that is * associated with the custom key store, creates the connection infrastructure, * connects to the cluster, logs into the AWS CloudHSM client as the * kmsuser CU, and rotates its password.

The * ConnectCustomKeyStore operation might fail for various reasons. To * find the reason, use the DescribeCustomKeyStores operation and see the * ConnectionErrorCode in the response. For help interpreting the * ConnectionErrorCode, see CustomKeyStoresListEntry.

To * fix the failure, use the DisconnectCustomKeyStore operation to disconnect * the custom key store, correct the error, use the UpdateCustomKeyStore * operation if necessary, and then use ConnectCustomKeyStore * again.

If you are having trouble connecting or disconnecting a custom key * store, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ConnectCustomKeyStoreAsync(const Model::ConnectCustomKeyStoreRequest& request, const ConnectCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Creates a display name for a customer managed customer master key (CMK). You * can use an alias to identify a CMK in cryptographic * operations, such as Encrypt and GenerateDataKey. You can * change the CMK associated with the alias at any time.

Aliases are easier * to remember than key IDs. They can also help to simplify your applications. For * example, if you use an alias in your code, you can change the CMK your code uses * by associating a given alias with a different CMK.

To run the same code * in multiple AWS regions, use an alias in your code, such as * alias/ApplicationKey. Then, in each AWS Region, create an * alias/ApplicationKey alias that is associated with a CMK in that * Region. When you run your code, it uses the alias/ApplicationKey * CMK for that AWS Region without any Region-specific code.

This operation * does not return a response. To get the alias that you created, use the * ListAliases operation.

To use aliases successfully, be aware of * the following information.

  • Each alias points to only one CMK at * a time, although a single CMK can have multiple aliases. The alias and its * associated CMK must be in the same AWS account and Region.

  • *

    You can associate an alias with any customer managed CMK in the same AWS * account and Region. However, you do not have permission to associate an alias * with an AWS * managed CMK or an AWS * owned CMK.

  • To change the CMK associated with an alias, * use the UpdateAlias operation. The current CMK and the new CMK must be * the same type (both symmetric or both asymmetric) and they must have the same * key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This * restriction prevents cryptographic errors in code that uses aliases.

    • *

  • The alias name must begin with alias/ followed by a name, * such as alias/ExampleAlias. It can contain only alphanumeric * characters, forward slashes (/), underscores (_), and dashes (-). The alias name * cannot begin with alias/aws/. The alias/aws/ prefix is * reserved for AWS * managed CMKs.

  • The alias name must be unique within an AWS * Region. However, you can use the same alias name in multiple Regions of the same * AWS account. Each instance of the alias is associated with a CMK in its * Region.

  • After you create an alias, you cannot change its alias * name. However, you can use the DeleteAlias operation to delete the alias * and then create a new alias with the desired name.

  • You can use * an alias name or alias ARN to identify a CMK in AWS KMS cryptographic * operations and in the DescribeKey operation. However, you cannot use * alias names or alias ARNs in API operations that manage CMKs, such as * DisableKey or GetKeyPolicy. For information about the valid CMK * identifiers for each AWS KMS API operation, see the descriptions of the * KeyId parameter in the API operation documentation.

*

Because an alias is not a property of a CMK, you can delete and change the * aliases of a CMK without affecting the CMK. Also, aliases do not appear in the * response from the DescribeKey operation. To get the aliases and alias * ARNs of CMKs in each AWS account and Region, use the ListAliases * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::CreateAliasOutcome CreateAlias(const Model::CreateAliasRequest& request) const; /** *

Creates a display name for a customer managed customer master key (CMK). You * can use an alias to identify a CMK in cryptographic * operations, such as Encrypt and GenerateDataKey. You can * change the CMK associated with the alias at any time.

Aliases are easier * to remember than key IDs. They can also help to simplify your applications. For * example, if you use an alias in your code, you can change the CMK your code uses * by associating a given alias with a different CMK.

To run the same code * in multiple AWS regions, use an alias in your code, such as * alias/ApplicationKey. Then, in each AWS Region, create an * alias/ApplicationKey alias that is associated with a CMK in that * Region. When you run your code, it uses the alias/ApplicationKey * CMK for that AWS Region without any Region-specific code.

This operation * does not return a response. To get the alias that you created, use the * ListAliases operation.

To use aliases successfully, be aware of * the following information.

  • Each alias points to only one CMK at * a time, although a single CMK can have multiple aliases. The alias and its * associated CMK must be in the same AWS account and Region.

  • *

    You can associate an alias with any customer managed CMK in the same AWS * account and Region. However, you do not have permission to associate an alias * with an AWS * managed CMK or an AWS * owned CMK.

  • To change the CMK associated with an alias, * use the UpdateAlias operation. The current CMK and the new CMK must be * the same type (both symmetric or both asymmetric) and they must have the same * key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This * restriction prevents cryptographic errors in code that uses aliases.

    • *

  • The alias name must begin with alias/ followed by a name, * such as alias/ExampleAlias. It can contain only alphanumeric * characters, forward slashes (/), underscores (_), and dashes (-). The alias name * cannot begin with alias/aws/. The alias/aws/ prefix is * reserved for AWS * managed CMKs.

  • The alias name must be unique within an AWS * Region. However, you can use the same alias name in multiple Regions of the same * AWS account. Each instance of the alias is associated with a CMK in its * Region.

  • After you create an alias, you cannot change its alias * name. However, you can use the DeleteAlias operation to delete the alias * and then create a new alias with the desired name.

  • You can use * an alias name or alias ARN to identify a CMK in AWS KMS cryptographic * operations and in the DescribeKey operation. However, you cannot use * alias names or alias ARNs in API operations that manage CMKs, such as * DisableKey or GetKeyPolicy. For information about the valid CMK * identifiers for each AWS KMS API operation, see the descriptions of the * KeyId parameter in the API operation documentation.

*

Because an alias is not a property of a CMK, you can delete and change the * aliases of a CMK without affecting the CMK. Also, aliases do not appear in the * response from the DescribeKey operation. To get the aliases and alias * ARNs of CMKs in each AWS account and Region, use the ListAliases * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CreateAliasOutcomeCallable CreateAliasCallable(const Model::CreateAliasRequest& request) const; /** *

Creates a display name for a customer managed customer master key (CMK). You * can use an alias to identify a CMK in cryptographic * operations, such as Encrypt and GenerateDataKey. You can * change the CMK associated with the alias at any time.

Aliases are easier * to remember than key IDs. They can also help to simplify your applications. For * example, if you use an alias in your code, you can change the CMK your code uses * by associating a given alias with a different CMK.

To run the same code * in multiple AWS regions, use an alias in your code, such as * alias/ApplicationKey. Then, in each AWS Region, create an * alias/ApplicationKey alias that is associated with a CMK in that * Region. When you run your code, it uses the alias/ApplicationKey * CMK for that AWS Region without any Region-specific code.

This operation * does not return a response. To get the alias that you created, use the * ListAliases operation.

To use aliases successfully, be aware of * the following information.

  • Each alias points to only one CMK at * a time, although a single CMK can have multiple aliases. The alias and its * associated CMK must be in the same AWS account and Region.

  • *

    You can associate an alias with any customer managed CMK in the same AWS * account and Region. However, you do not have permission to associate an alias * with an AWS * managed CMK or an AWS * owned CMK.

  • To change the CMK associated with an alias, * use the UpdateAlias operation. The current CMK and the new CMK must be * the same type (both symmetric or both asymmetric) and they must have the same * key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This * restriction prevents cryptographic errors in code that uses aliases.

    • *

  • The alias name must begin with alias/ followed by a name, * such as alias/ExampleAlias. It can contain only alphanumeric * characters, forward slashes (/), underscores (_), and dashes (-). The alias name * cannot begin with alias/aws/. The alias/aws/ prefix is * reserved for AWS * managed CMKs.

  • The alias name must be unique within an AWS * Region. However, you can use the same alias name in multiple Regions of the same * AWS account. Each instance of the alias is associated with a CMK in its * Region.

  • After you create an alias, you cannot change its alias * name. However, you can use the DeleteAlias operation to delete the alias * and then create a new alias with the desired name.

  • You can use * an alias name or alias ARN to identify a CMK in AWS KMS cryptographic * operations and in the DescribeKey operation. However, you cannot use * alias names or alias ARNs in API operations that manage CMKs, such as * DisableKey or GetKeyPolicy. For information about the valid CMK * identifiers for each AWS KMS API operation, see the descriptions of the * KeyId parameter in the API operation documentation.

*

Because an alias is not a property of a CMK, you can delete and change the * aliases of a CMK without affecting the CMK. Also, aliases do not appear in the * response from the DescribeKey operation. To get the aliases and alias * ARNs of CMKs in each AWS account and Region, use the ListAliases * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CreateAliasAsync(const Model::CreateAliasRequest& request, const CreateAliasResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Creates a custom * key store that is associated with an AWS * CloudHSM cluster that you own and manage.

This operation is part of * the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

Before you create the custom key store, you must * assemble the required elements, including an AWS CloudHSM cluster that fulfills * the requirements for a custom key store. For details about the required * elements, see Assemble * the Prerequisites in the AWS Key Management Service Developer * Guide.

When the operation completes successfully, it returns the ID * of the new custom key store. Before you can use your new custom key store, you * need to use the ConnectCustomKeyStore operation to connect the new key * store to its AWS CloudHSM cluster. Even if you are not going to use your custom * key store immediately, you might want to connect it to verify that all settings * are correct and then disconnect it until you are ready to use it.

For * help with failures, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

*/ virtual Model::CreateCustomKeyStoreOutcome CreateCustomKeyStore(const Model::CreateCustomKeyStoreRequest& request) const; /** *

Creates a custom * key store that is associated with an AWS * CloudHSM cluster that you own and manage.

This operation is part of * the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

Before you create the custom key store, you must * assemble the required elements, including an AWS CloudHSM cluster that fulfills * the requirements for a custom key store. For details about the required * elements, see Assemble * the Prerequisites in the AWS Key Management Service Developer * Guide.

When the operation completes successfully, it returns the ID * of the new custom key store. Before you can use your new custom key store, you * need to use the ConnectCustomKeyStore operation to connect the new key * store to its AWS CloudHSM cluster. Even if you are not going to use your custom * key store immediately, you might want to connect it to verify that all settings * are correct and then disconnect it until you are ready to use it.

For * help with failures, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CreateCustomKeyStoreOutcomeCallable CreateCustomKeyStoreCallable(const Model::CreateCustomKeyStoreRequest& request) const; /** *

Creates a custom * key store that is associated with an AWS * CloudHSM cluster that you own and manage.

This operation is part of * the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

Before you create the custom key store, you must * assemble the required elements, including an AWS CloudHSM cluster that fulfills * the requirements for a custom key store. For details about the required * elements, see Assemble * the Prerequisites in the AWS Key Management Service Developer * Guide.

When the operation completes successfully, it returns the ID * of the new custom key store. Before you can use your new custom key store, you * need to use the ConnectCustomKeyStore operation to connect the new key * store to its AWS CloudHSM cluster. Even if you are not going to use your custom * key store immediately, you might want to connect it to verify that all settings * are correct and then disconnect it until you are ready to use it.

For * help with failures, see Troubleshooting * a Custom Key Store in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CreateCustomKeyStoreAsync(const Model::CreateCustomKeyStoreRequest& request, const CreateCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Adds a grant to a customer master key (CMK). The grant allows the grantee * principal to use the CMK when the conditions specified in the grant are met. * When setting permissions, grants are an alternative to key policies.

To * create a grant that allows a cryptographic * operation only when the request includes a particular encryption * context, use the Constraints parameter. For details, see * GrantConstraints.

You can create grants on symmetric and * asymmetric CMKs. However, if the grant allows an operation that the CMK does not * support, CreateGrant fails with a ValidationException. *

  • Grants for symmetric CMKs cannot allow operations that are not * supported for symmetric CMKs, including Sign, Verify, and * GetPublicKey. (There are limited exceptions to this rule for legacy * operations, but you should not create a grant for an operation that AWS KMS does * not support.)

  • Grants for asymmetric CMKs cannot allow * operations that are not supported for asymmetric CMKs, including operations that * generate * data keys or data * key pairs, or operations related to automatic * key rotation, imported * key material, or CMKs in custom * key stores.

  • Grants for asymmetric CMKs with a * KeyUsage of ENCRYPT_DECRYPT cannot allow the * Sign or Verify operations. Grants for asymmetric CMKs with a * KeyUsage of SIGN_VERIFY cannot allow the * Encrypt or Decrypt operations.

  • Grants for * asymmetric CMKs cannot include an encryption context grant constraint. An * encryption context is not supported on asymmetric CMKs.

For * information about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To perform this operation on a CMK in a different AWS account, * specify the key ARN in the value of the KeyId parameter. For more * information about grants, see Grants * in the AWS Key Management Service Developer Guide .

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::CreateGrantOutcome CreateGrant(const Model::CreateGrantRequest& request) const; /** *

Adds a grant to a customer master key (CMK). The grant allows the grantee * principal to use the CMK when the conditions specified in the grant are met. * When setting permissions, grants are an alternative to key policies.

To * create a grant that allows a cryptographic * operation only when the request includes a particular encryption * context, use the Constraints parameter. For details, see * GrantConstraints.

You can create grants on symmetric and * asymmetric CMKs. However, if the grant allows an operation that the CMK does not * support, CreateGrant fails with a ValidationException. *

  • Grants for symmetric CMKs cannot allow operations that are not * supported for symmetric CMKs, including Sign, Verify, and * GetPublicKey. (There are limited exceptions to this rule for legacy * operations, but you should not create a grant for an operation that AWS KMS does * not support.)

  • Grants for asymmetric CMKs cannot allow * operations that are not supported for asymmetric CMKs, including operations that * generate * data keys or data * key pairs, or operations related to automatic * key rotation, imported * key material, or CMKs in custom * key stores.

  • Grants for asymmetric CMKs with a * KeyUsage of ENCRYPT_DECRYPT cannot allow the * Sign or Verify operations. Grants for asymmetric CMKs with a * KeyUsage of SIGN_VERIFY cannot allow the * Encrypt or Decrypt operations.

  • Grants for * asymmetric CMKs cannot include an encryption context grant constraint. An * encryption context is not supported on asymmetric CMKs.

For * information about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To perform this operation on a CMK in a different AWS account, * specify the key ARN in the value of the KeyId parameter. For more * information about grants, see Grants * in the AWS Key Management Service Developer Guide .

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CreateGrantOutcomeCallable CreateGrantCallable(const Model::CreateGrantRequest& request) const; /** *

Adds a grant to a customer master key (CMK). The grant allows the grantee * principal to use the CMK when the conditions specified in the grant are met. * When setting permissions, grants are an alternative to key policies.

To * create a grant that allows a cryptographic * operation only when the request includes a particular encryption * context, use the Constraints parameter. For details, see * GrantConstraints.

You can create grants on symmetric and * asymmetric CMKs. However, if the grant allows an operation that the CMK does not * support, CreateGrant fails with a ValidationException. *

  • Grants for symmetric CMKs cannot allow operations that are not * supported for symmetric CMKs, including Sign, Verify, and * GetPublicKey. (There are limited exceptions to this rule for legacy * operations, but you should not create a grant for an operation that AWS KMS does * not support.)

  • Grants for asymmetric CMKs cannot allow * operations that are not supported for asymmetric CMKs, including operations that * generate * data keys or data * key pairs, or operations related to automatic * key rotation, imported * key material, or CMKs in custom * key stores.

  • Grants for asymmetric CMKs with a * KeyUsage of ENCRYPT_DECRYPT cannot allow the * Sign or Verify operations. Grants for asymmetric CMKs with a * KeyUsage of SIGN_VERIFY cannot allow the * Encrypt or Decrypt operations.

  • Grants for * asymmetric CMKs cannot include an encryption context grant constraint. An * encryption context is not supported on asymmetric CMKs.

For * information about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To perform this operation on a CMK in a different AWS account, * specify the key ARN in the value of the KeyId parameter. For more * information about grants, see Grants * in the AWS Key Management Service Developer Guide .

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CreateGrantAsync(const Model::CreateGrantRequest& request, const CreateGrantResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Creates a unique customer managed customer * master key (CMK) in your AWS account and Region. You cannot use this * operation to create a CMK in a different AWS account.

You can use the * CreateKey operation to create symmetric or asymmetric CMKs.

*

  • Symmetric CMKs contain a 256-bit symmetric key that never * leaves AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a * symmetric CMK to encrypt and decrypt small amounts of data, but they are * typically used to generate data * keys and data * keys pairs. For details, see GenerateDataKey and * GenerateDataKeyPair.

  • Asymmetric CMKs can * contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in * an asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the * GetPublicKey operation to download the public key so it can be used * outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or decrypt * data or sign and verify messages (but not both). CMKs with ECC key pairs can be * used only to sign and verify messages.

For information about * symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To create different types of CMKs, use the following * guidance:

Asymmetric CMKs

To create an asymmetric CMK, * use the CustomerMasterKeySpec parameter to specify the type of key * material in the CMK. Then, use the KeyUsage parameter to determine * whether the CMK will be used to encrypt and decrypt or sign and verify. You * can't change these properties after the CMK is created.

*
Symmetric CMKs

When creating a symmetric CMK, you don't need to * specify the CustomerMasterKeySpec or KeyUsage * parameters. The default value for CustomerMasterKeySpec, * SYMMETRIC_DEFAULT, and the default value for KeyUsage, * ENCRYPT_DECRYPT, are the only valid values for symmetric CMKs.

*

Imported Key Material

To import your own key * material, begin by creating a symmetric CMK with no key material. To do this, * use the Origin parameter of CreateKey with a value of * EXTERNAL. Next, use GetParametersForImport operation to get * a public key and import token, and use the public key to encrypt your key * material. Then, use ImportKeyMaterial with your import token to import * the key material. For step-by-step instructions, see Importing * Key Material in the AWS Key Management Service Developer Guide * . You cannot import the key material into an asymmetric CMK.

*
Custom Key Stores

To create a symmetric CMK in a custom * key store, use the CustomKeyStoreId parameter to specify the * custom key store. You must also use the Origin parameter with a * value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated * with the custom key store must have at least two active HSMs in different * Availability Zones in the AWS Region.

You cannot create an asymmetric * CMK in a custom key store. For information about custom key stores in AWS KMS * see Using * Custom Key Stores in the AWS Key Management Service Developer * Guide .

See Also:

AWS API * Reference

*/ virtual Model::CreateKeyOutcome CreateKey(const Model::CreateKeyRequest& request) const; /** *

Creates a unique customer managed customer * master key (CMK) in your AWS account and Region. You cannot use this * operation to create a CMK in a different AWS account.

You can use the * CreateKey operation to create symmetric or asymmetric CMKs.

*

  • Symmetric CMKs contain a 256-bit symmetric key that never * leaves AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a * symmetric CMK to encrypt and decrypt small amounts of data, but they are * typically used to generate data * keys and data * keys pairs. For details, see GenerateDataKey and * GenerateDataKeyPair.

  • Asymmetric CMKs can * contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in * an asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the * GetPublicKey operation to download the public key so it can be used * outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or decrypt * data or sign and verify messages (but not both). CMKs with ECC key pairs can be * used only to sign and verify messages.

For information about * symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To create different types of CMKs, use the following * guidance:

Asymmetric CMKs

To create an asymmetric CMK, * use the CustomerMasterKeySpec parameter to specify the type of key * material in the CMK. Then, use the KeyUsage parameter to determine * whether the CMK will be used to encrypt and decrypt or sign and verify. You * can't change these properties after the CMK is created.

*
Symmetric CMKs

When creating a symmetric CMK, you don't need to * specify the CustomerMasterKeySpec or KeyUsage * parameters. The default value for CustomerMasterKeySpec, * SYMMETRIC_DEFAULT, and the default value for KeyUsage, * ENCRYPT_DECRYPT, are the only valid values for symmetric CMKs.

*

Imported Key Material

To import your own key * material, begin by creating a symmetric CMK with no key material. To do this, * use the Origin parameter of CreateKey with a value of * EXTERNAL. Next, use GetParametersForImport operation to get * a public key and import token, and use the public key to encrypt your key * material. Then, use ImportKeyMaterial with your import token to import * the key material. For step-by-step instructions, see Importing * Key Material in the AWS Key Management Service Developer Guide * . You cannot import the key material into an asymmetric CMK.

*
Custom Key Stores

To create a symmetric CMK in a custom * key store, use the CustomKeyStoreId parameter to specify the * custom key store. You must also use the Origin parameter with a * value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated * with the custom key store must have at least two active HSMs in different * Availability Zones in the AWS Region.

You cannot create an asymmetric * CMK in a custom key store. For information about custom key stores in AWS KMS * see Using * Custom Key Stores in the AWS Key Management Service Developer * Guide .

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::CreateKeyOutcomeCallable CreateKeyCallable(const Model::CreateKeyRequest& request) const; /** *

Creates a unique customer managed customer * master key (CMK) in your AWS account and Region. You cannot use this * operation to create a CMK in a different AWS account.

You can use the * CreateKey operation to create symmetric or asymmetric CMKs.

*

  • Symmetric CMKs contain a 256-bit symmetric key that never * leaves AWS KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a * symmetric CMK to encrypt and decrypt small amounts of data, but they are * typically used to generate data * keys and data * keys pairs. For details, see GenerateDataKey and * GenerateDataKeyPair.

  • Asymmetric CMKs can * contain an RSA key pair or an Elliptic Curve (ECC) key pair. The private key in * an asymmetric CMK never leaves AWS KMS unencrypted. However, you can use the * GetPublicKey operation to download the public key so it can be used * outside of AWS KMS. CMKs with RSA key pairs can be used to encrypt or decrypt * data or sign and verify messages (but not both). CMKs with ECC key pairs can be * used only to sign and verify messages.

For information about * symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To create different types of CMKs, use the following * guidance:

Asymmetric CMKs

To create an asymmetric CMK, * use the CustomerMasterKeySpec parameter to specify the type of key * material in the CMK. Then, use the KeyUsage parameter to determine * whether the CMK will be used to encrypt and decrypt or sign and verify. You * can't change these properties after the CMK is created.

*
Symmetric CMKs

When creating a symmetric CMK, you don't need to * specify the CustomerMasterKeySpec or KeyUsage * parameters. The default value for CustomerMasterKeySpec, * SYMMETRIC_DEFAULT, and the default value for KeyUsage, * ENCRYPT_DECRYPT, are the only valid values for symmetric CMKs.

*

Imported Key Material

To import your own key * material, begin by creating a symmetric CMK with no key material. To do this, * use the Origin parameter of CreateKey with a value of * EXTERNAL. Next, use GetParametersForImport operation to get * a public key and import token, and use the public key to encrypt your key * material. Then, use ImportKeyMaterial with your import token to import * the key material. For step-by-step instructions, see Importing * Key Material in the AWS Key Management Service Developer Guide * . You cannot import the key material into an asymmetric CMK.

*
Custom Key Stores

To create a symmetric CMK in a custom * key store, use the CustomKeyStoreId parameter to specify the * custom key store. You must also use the Origin parameter with a * value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated * with the custom key store must have at least two active HSMs in different * Availability Zones in the AWS Region.

You cannot create an asymmetric * CMK in a custom key store. For information about custom key stores in AWS KMS * see Using * Custom Key Stores in the AWS Key Management Service Developer * Guide .

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void CreateKeyAsync(const Model::CreateKeyRequest& request, const CreateKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) * using any of the following operations:

You can use this * operation to decrypt ciphertext that was encrypted under a symmetric or * asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the * encryption algorithm that was used to encrypt the ciphertext. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

The Decrypt operation also decrypts ciphertext that was * encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. * However, it cannot decrypt ciphertext produced by other libraries, such as the * AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

If the ciphertext was encrypted under a * symmetric CMK, you do not need to specify the CMK or the encryption algorithm. * AWS KMS can get this information from metadata that it adds to the symmetric * ciphertext blob. However, if you prefer, you can specify the KeyId * to ensure that a particular CMK is used to decrypt the ciphertext. If you * specify a different CMK than the one used to encrypt the ciphertext, the * Decrypt operation fails.

Whenever possible, use key policies * to give users permission to call the Decrypt operation on a particular CMK, * instead of using IAM policies. Otherwise, you might create an IAM user policy * that gives the user Decrypt permission on all CMKs. This user could decrypt * ciphertext that was encrypted by CMKs in other accounts if the key policy for * the cross-account CMK permits it. If you must use an IAM policy for * Decrypt permissions, limit the user to particular CMKs or * particular trusted accounts.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::DecryptOutcome Decrypt(const Model::DecryptRequest& request) const; /** *

Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) * using any of the following operations:

You can use this * operation to decrypt ciphertext that was encrypted under a symmetric or * asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the * encryption algorithm that was used to encrypt the ciphertext. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

The Decrypt operation also decrypts ciphertext that was * encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. * However, it cannot decrypt ciphertext produced by other libraries, such as the * AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

If the ciphertext was encrypted under a * symmetric CMK, you do not need to specify the CMK or the encryption algorithm. * AWS KMS can get this information from metadata that it adds to the symmetric * ciphertext blob. However, if you prefer, you can specify the KeyId * to ensure that a particular CMK is used to decrypt the ciphertext. If you * specify a different CMK than the one used to encrypt the ciphertext, the * Decrypt operation fails.

Whenever possible, use key policies * to give users permission to call the Decrypt operation on a particular CMK, * instead of using IAM policies. Otherwise, you might create an IAM user policy * that gives the user Decrypt permission on all CMKs. This user could decrypt * ciphertext that was encrypted by CMKs in other accounts if the key policy for * the cross-account CMK permits it. If you must use an IAM policy for * Decrypt permissions, limit the user to particular CMKs or * particular trusted accounts.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DecryptOutcomeCallable DecryptCallable(const Model::DecryptRequest& request) const; /** *

Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) * using any of the following operations:

You can use this * operation to decrypt ciphertext that was encrypted under a symmetric or * asymmetric CMK. When the CMK is asymmetric, you must specify the CMK and the * encryption algorithm that was used to encrypt the ciphertext. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

The Decrypt operation also decrypts ciphertext that was * encrypted outside of AWS KMS by the public key in an AWS KMS asymmetric CMK. * However, it cannot decrypt ciphertext produced by other libraries, such as the * AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

If the ciphertext was encrypted under a * symmetric CMK, you do not need to specify the CMK or the encryption algorithm. * AWS KMS can get this information from metadata that it adds to the symmetric * ciphertext blob. However, if you prefer, you can specify the KeyId * to ensure that a particular CMK is used to decrypt the ciphertext. If you * specify a different CMK than the one used to encrypt the ciphertext, the * Decrypt operation fails.

Whenever possible, use key policies * to give users permission to call the Decrypt operation on a particular CMK, * instead of using IAM policies. Otherwise, you might create an IAM user policy * that gives the user Decrypt permission on all CMKs. This user could decrypt * ciphertext that was encrypted by CMKs in other accounts if the key policy for * the cross-account CMK permits it. If you must use an IAM policy for * Decrypt permissions, limit the user to particular CMKs or * particular trusted accounts.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DecryptAsync(const Model::DecryptRequest& request, const DecryptResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Deletes the specified alias. You cannot perform this operation on an alias in * a different AWS account.

Because an alias is not a property of a CMK, * you can delete and change the aliases of a CMK without affecting the CMK. Also, * aliases do not appear in the response from the DescribeKey operation. To * get the aliases of all CMKs, use the ListAliases operation.

Each * CMK can have multiple aliases. To change the alias of a CMK, use * DeleteAlias to delete the current alias and CreateAlias to create * a new alias. To associate an existing alias with a different customer master key * (CMK), call UpdateAlias.

See Also:

AWS API * Reference

*/ virtual Model::DeleteAliasOutcome DeleteAlias(const Model::DeleteAliasRequest& request) const; /** *

Deletes the specified alias. You cannot perform this operation on an alias in * a different AWS account.

Because an alias is not a property of a CMK, * you can delete and change the aliases of a CMK without affecting the CMK. Also, * aliases do not appear in the response from the DescribeKey operation. To * get the aliases of all CMKs, use the ListAliases operation.

Each * CMK can have multiple aliases. To change the alias of a CMK, use * DeleteAlias to delete the current alias and CreateAlias to create * a new alias. To associate an existing alias with a different customer master key * (CMK), call UpdateAlias.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DeleteAliasOutcomeCallable DeleteAliasCallable(const Model::DeleteAliasRequest& request) const; /** *

Deletes the specified alias. You cannot perform this operation on an alias in * a different AWS account.

Because an alias is not a property of a CMK, * you can delete and change the aliases of a CMK without affecting the CMK. Also, * aliases do not appear in the response from the DescribeKey operation. To * get the aliases of all CMKs, use the ListAliases operation.

Each * CMK can have multiple aliases. To change the alias of a CMK, use * DeleteAlias to delete the current alias and CreateAlias to create * a new alias. To associate an existing alias with a different customer master key * (CMK), call UpdateAlias.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DeleteAliasAsync(const Model::DeleteAliasRequest& request, const DeleteAliasResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Deletes a custom * key store. This operation does not delete the AWS CloudHSM cluster that is * associated with the custom key store, or affect any users or keys in the * cluster.

The custom key store that you delete cannot contain any AWS KMS * customer * master keys (CMKs). Before deleting the key store, verify that you will * never need to use any of the CMKs in the key store for any cryptographic * operations. Then, use ScheduleKeyDeletion to delete the AWS KMS * customer master keys (CMKs) from the key store. When the scheduled waiting * period expires, the ScheduleKeyDeletion operation deletes the CMKs. * Then it makes a best effort to delete the key material from the associated * cluster. However, you might need to manually delete * the orphaned key material from the cluster and its backups.

After all * CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect * the key store from AWS KMS. Then, you can delete the custom key store.

*

Instead of deleting the custom key store, consider using * DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key * store is disconnected, you cannot create or use the CMKs in the key store. But, * you do not need to delete CMKs and you can reconnect a disconnected custom key * store at any time.

If the operation succeeds, it returns a JSON object * with no properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

*/ virtual Model::DeleteCustomKeyStoreOutcome DeleteCustomKeyStore(const Model::DeleteCustomKeyStoreRequest& request) const; /** *

Deletes a custom * key store. This operation does not delete the AWS CloudHSM cluster that is * associated with the custom key store, or affect any users or keys in the * cluster.

The custom key store that you delete cannot contain any AWS KMS * customer * master keys (CMKs). Before deleting the key store, verify that you will * never need to use any of the CMKs in the key store for any cryptographic * operations. Then, use ScheduleKeyDeletion to delete the AWS KMS * customer master keys (CMKs) from the key store. When the scheduled waiting * period expires, the ScheduleKeyDeletion operation deletes the CMKs. * Then it makes a best effort to delete the key material from the associated * cluster. However, you might need to manually delete * the orphaned key material from the cluster and its backups.

After all * CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect * the key store from AWS KMS. Then, you can delete the custom key store.

*

Instead of deleting the custom key store, consider using * DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key * store is disconnected, you cannot create or use the CMKs in the key store. But, * you do not need to delete CMKs and you can reconnect a disconnected custom key * store at any time.

If the operation succeeds, it returns a JSON object * with no properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DeleteCustomKeyStoreOutcomeCallable DeleteCustomKeyStoreCallable(const Model::DeleteCustomKeyStoreRequest& request) const; /** *

Deletes a custom * key store. This operation does not delete the AWS CloudHSM cluster that is * associated with the custom key store, or affect any users or keys in the * cluster.

The custom key store that you delete cannot contain any AWS KMS * customer * master keys (CMKs). Before deleting the key store, verify that you will * never need to use any of the CMKs in the key store for any cryptographic * operations. Then, use ScheduleKeyDeletion to delete the AWS KMS * customer master keys (CMKs) from the key store. When the scheduled waiting * period expires, the ScheduleKeyDeletion operation deletes the CMKs. * Then it makes a best effort to delete the key material from the associated * cluster. However, you might need to manually delete * the orphaned key material from the cluster and its backups.

After all * CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to disconnect * the key store from AWS KMS. Then, you can delete the custom key store.

*

Instead of deleting the custom key store, consider using * DisconnectCustomKeyStore to disconnect it from AWS KMS. While the key * store is disconnected, you cannot create or use the CMKs in the key store. But, * you do not need to delete CMKs and you can reconnect a disconnected custom key * store at any time.

If the operation succeeds, it returns a JSON object * with no properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DeleteCustomKeyStoreAsync(const Model::DeleteCustomKeyStoreRequest& request, const DeleteCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Deletes key material that you previously imported. This operation makes the * specified customer master key (CMK) unusable. For more information about * importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. You * cannot perform this operation on a CMK in a different AWS account.

When * the specified CMK is in the PendingDeletion state, this operation * does not change the CMK's state. Otherwise, it changes the CMK's state to * PendingImport.

After you delete key material, you can use * ImportKeyMaterial to reimport the same key material into the CMK.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::DeleteImportedKeyMaterialOutcome DeleteImportedKeyMaterial(const Model::DeleteImportedKeyMaterialRequest& request) const; /** *

Deletes key material that you previously imported. This operation makes the * specified customer master key (CMK) unusable. For more information about * importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. You * cannot perform this operation on a CMK in a different AWS account.

When * the specified CMK is in the PendingDeletion state, this operation * does not change the CMK's state. Otherwise, it changes the CMK's state to * PendingImport.

After you delete key material, you can use * ImportKeyMaterial to reimport the same key material into the CMK.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DeleteImportedKeyMaterialOutcomeCallable DeleteImportedKeyMaterialCallable(const Model::DeleteImportedKeyMaterialRequest& request) const; /** *

Deletes key material that you previously imported. This operation makes the * specified customer master key (CMK) unusable. For more information about * importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. You * cannot perform this operation on a CMK in a different AWS account.

When * the specified CMK is in the PendingDeletion state, this operation * does not change the CMK's state. Otherwise, it changes the CMK's state to * PendingImport.

After you delete key material, you can use * ImportKeyMaterial to reimport the same key material into the CMK.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DeleteImportedKeyMaterialAsync(const Model::DeleteImportedKeyMaterialRequest& request, const DeleteImportedKeyMaterialResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets information about custom * key stores in the account and region.

This operation is part of the * Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

By default, this operation returns information * about all custom key stores in the account and region. To get only information * about a particular custom key store, use either the * CustomKeyStoreName or CustomKeyStoreId parameter (but * not both).

To determine whether the custom key store is connected to its * AWS CloudHSM cluster, use the ConnectionState element in the * response. If an attempt to connect the custom key store failed, the * ConnectionState value is FAILED and the * ConnectionErrorCode element in the response indicates the cause of * the failure. For help interpreting the ConnectionErrorCode, see * CustomKeyStoresListEntry.

Custom key stores have a * DISCONNECTED connection state if the key store has never been * connected or you use the DisconnectCustomKeyStore operation to disconnect * it. If your custom key store state is CONNECTED but you are having * trouble using it, make sure that its associated AWS CloudHSM cluster is active * and contains the minimum number of HSMs required for the operation, if any.

*

For help repairing your custom key store, see the Troubleshooting * Custom Key Stores topic in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

*/ virtual Model::DescribeCustomKeyStoresOutcome DescribeCustomKeyStores(const Model::DescribeCustomKeyStoresRequest& request) const; /** *

Gets information about custom * key stores in the account and region.

This operation is part of the * Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

By default, this operation returns information * about all custom key stores in the account and region. To get only information * about a particular custom key store, use either the * CustomKeyStoreName or CustomKeyStoreId parameter (but * not both).

To determine whether the custom key store is connected to its * AWS CloudHSM cluster, use the ConnectionState element in the * response. If an attempt to connect the custom key store failed, the * ConnectionState value is FAILED and the * ConnectionErrorCode element in the response indicates the cause of * the failure. For help interpreting the ConnectionErrorCode, see * CustomKeyStoresListEntry.

Custom key stores have a * DISCONNECTED connection state if the key store has never been * connected or you use the DisconnectCustomKeyStore operation to disconnect * it. If your custom key store state is CONNECTED but you are having * trouble using it, make sure that its associated AWS CloudHSM cluster is active * and contains the minimum number of HSMs required for the operation, if any.

*

For help repairing your custom key store, see the Troubleshooting * Custom Key Stores topic in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DescribeCustomKeyStoresOutcomeCallable DescribeCustomKeyStoresCallable(const Model::DescribeCustomKeyStoresRequest& request) const; /** *

Gets information about custom * key stores in the account and region.

This operation is part of the * Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

By default, this operation returns information * about all custom key stores in the account and region. To get only information * about a particular custom key store, use either the * CustomKeyStoreName or CustomKeyStoreId parameter (but * not both).

To determine whether the custom key store is connected to its * AWS CloudHSM cluster, use the ConnectionState element in the * response. If an attempt to connect the custom key store failed, the * ConnectionState value is FAILED and the * ConnectionErrorCode element in the response indicates the cause of * the failure. For help interpreting the ConnectionErrorCode, see * CustomKeyStoresListEntry.

Custom key stores have a * DISCONNECTED connection state if the key store has never been * connected or you use the DisconnectCustomKeyStore operation to disconnect * it. If your custom key store state is CONNECTED but you are having * trouble using it, make sure that its associated AWS CloudHSM cluster is active * and contains the minimum number of HSMs required for the operation, if any.

*

For help repairing your custom key store, see the Troubleshooting * Custom Key Stores topic in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DescribeCustomKeyStoresAsync(const Model::DescribeCustomKeyStoresRequest& request, const DescribeCustomKeyStoresResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Provides detailed information about a customer master key (CMK). You can run * DescribeKey on a customer * managed CMK or an AWS * managed CMK.

This detailed information includes the key ARN, creation * date (and deletion date, if applicable), the key state, and the origin and * expiration date (if any) of the key material. For CMKs in custom key stores, it * includes information about the custom key store, such as the key store ID and * the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that * help you distinguish symmetric from asymmetric CMKs. It also provides * information that is particularly important to asymmetric CMKs, such as the key * usage (encryption or signing) and the encryption algorithms or signing * algorithms that the CMK supports.

DescribeKey does not * return the following information:

  • Aliases associated with the * CMK. To get this information, use ListAliases.

  • Whether * automatic key rotation is enabled on the CMK. To get this information, use * GetKeyRotationStatus. Also, some key states prevent a CMK from being * automatically rotated. For details, see How * Automatic Key Rotation Works in AWS Key Management Service Developer * Guide.

  • Tags on the CMK. To get this information, use * ListResourceTags.

  • Key policies and grants on the CMK. * To get this information, use GetKeyPolicy and ListGrants.

    *

If you call the DescribeKey operation on a * predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS * creates an AWS * managed CMK. Then, it associates the alias with the new CMK, and returns the * KeyId and Arn of the new CMK in the response.

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN or alias ARN in the value of the KeyId parameter.

See * Also:

AWS API * Reference

*/ virtual Model::DescribeKeyOutcome DescribeKey(const Model::DescribeKeyRequest& request) const; /** *

Provides detailed information about a customer master key (CMK). You can run * DescribeKey on a customer * managed CMK or an AWS * managed CMK.

This detailed information includes the key ARN, creation * date (and deletion date, if applicable), the key state, and the origin and * expiration date (if any) of the key material. For CMKs in custom key stores, it * includes information about the custom key store, such as the key store ID and * the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that * help you distinguish symmetric from asymmetric CMKs. It also provides * information that is particularly important to asymmetric CMKs, such as the key * usage (encryption or signing) and the encryption algorithms or signing * algorithms that the CMK supports.

DescribeKey does not * return the following information:

  • Aliases associated with the * CMK. To get this information, use ListAliases.

  • Whether * automatic key rotation is enabled on the CMK. To get this information, use * GetKeyRotationStatus. Also, some key states prevent a CMK from being * automatically rotated. For details, see How * Automatic Key Rotation Works in AWS Key Management Service Developer * Guide.

  • Tags on the CMK. To get this information, use * ListResourceTags.

  • Key policies and grants on the CMK. * To get this information, use GetKeyPolicy and ListGrants.

    *

If you call the DescribeKey operation on a * predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS * creates an AWS * managed CMK. Then, it associates the alias with the new CMK, and returns the * KeyId and Arn of the new CMK in the response.

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN or alias ARN in the value of the KeyId parameter.

See * Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DescribeKeyOutcomeCallable DescribeKeyCallable(const Model::DescribeKeyRequest& request) const; /** *

Provides detailed information about a customer master key (CMK). You can run * DescribeKey on a customer * managed CMK or an AWS * managed CMK.

This detailed information includes the key ARN, creation * date (and deletion date, if applicable), the key state, and the origin and * expiration date (if any) of the key material. For CMKs in custom key stores, it * includes information about the custom key store, such as the key store ID and * the AWS CloudHSM cluster ID. It includes fields, like KeySpec, that * help you distinguish symmetric from asymmetric CMKs. It also provides * information that is particularly important to asymmetric CMKs, such as the key * usage (encryption or signing) and the encryption algorithms or signing * algorithms that the CMK supports.

DescribeKey does not * return the following information:

  • Aliases associated with the * CMK. To get this information, use ListAliases.

  • Whether * automatic key rotation is enabled on the CMK. To get this information, use * GetKeyRotationStatus. Also, some key states prevent a CMK from being * automatically rotated. For details, see How * Automatic Key Rotation Works in AWS Key Management Service Developer * Guide.

  • Tags on the CMK. To get this information, use * ListResourceTags.

  • Key policies and grants on the CMK. * To get this information, use GetKeyPolicy and ListGrants.

    *

If you call the DescribeKey operation on a * predefined AWS alias, that is, an AWS alias with no key ID, AWS KMS * creates an AWS * managed CMK. Then, it associates the alias with the new CMK, and returns the * KeyId and Arn of the new CMK in the response.

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN or alias ARN in the value of the KeyId parameter.

See * Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DescribeKeyAsync(const Model::DescribeKeyRequest& request, const DescribeKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Sets the state of a customer master key (CMK) to disabled, thereby preventing * its use for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

For more information about how key state affects the use of a * CMK, see How * Key State Affects the Use of a Customer Master Key in the AWS Key * Management Service Developer Guide .

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::DisableKeyOutcome DisableKey(const Model::DisableKeyRequest& request) const; /** *

Sets the state of a customer master key (CMK) to disabled, thereby preventing * its use for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

For more information about how key state affects the use of a * CMK, see How * Key State Affects the Use of a Customer Master Key in the AWS Key * Management Service Developer Guide .

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DisableKeyOutcomeCallable DisableKeyCallable(const Model::DisableKeyRequest& request) const; /** *

Sets the state of a customer master key (CMK) to disabled, thereby preventing * its use for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

For more information about how key state affects the use of a * CMK, see How * Key State Affects the Use of a Customer Master Key in the AWS Key * Management Service Developer Guide .

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DisableKeyAsync(const Model::DisableKeyRequest& request, const DisableKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Disables automatic * rotation of the key material for the specified symmetric customer master key * (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::DisableKeyRotationOutcome DisableKeyRotation(const Model::DisableKeyRotationRequest& request) const; /** *

Disables automatic * rotation of the key material for the specified symmetric customer master key * (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DisableKeyRotationOutcomeCallable DisableKeyRotationCallable(const Model::DisableKeyRotationRequest& request) const; /** *

Disables automatic * rotation of the key material for the specified symmetric customer master key * (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DisableKeyRotationAsync(const Model::DisableKeyRotationRequest& request, const DisableKeyRotationResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Disconnects the custom * key store from its associated AWS CloudHSM cluster. While a custom key store * is disconnected, you can manage the custom key store and its customer master * keys (CMKs), but you cannot create or use CMKs in the custom key store. You can * reconnect the custom key store at any time.

While a custom key * store is disconnected, all attempts to create customer master keys (CMKs) in the * custom key store or to use existing CMKs in cryptographic * operations will fail. This action can prevent users from storing and * accessing sensitive data.

To find the connection state of a * custom key store, use the DescribeCustomKeyStores operation. To reconnect * a custom key store, use the ConnectCustomKeyStore operation.

If * the operation succeeds, it returns a JSON object with no properties.

This * operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

*/ virtual Model::DisconnectCustomKeyStoreOutcome DisconnectCustomKeyStore(const Model::DisconnectCustomKeyStoreRequest& request) const; /** *

Disconnects the custom * key store from its associated AWS CloudHSM cluster. While a custom key store * is disconnected, you can manage the custom key store and its customer master * keys (CMKs), but you cannot create or use CMKs in the custom key store. You can * reconnect the custom key store at any time.

While a custom key * store is disconnected, all attempts to create customer master keys (CMKs) in the * custom key store or to use existing CMKs in cryptographic * operations will fail. This action can prevent users from storing and * accessing sensitive data.

To find the connection state of a * custom key store, use the DescribeCustomKeyStores operation. To reconnect * a custom key store, use the ConnectCustomKeyStore operation.

If * the operation succeeds, it returns a JSON object with no properties.

This * operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::DisconnectCustomKeyStoreOutcomeCallable DisconnectCustomKeyStoreCallable(const Model::DisconnectCustomKeyStoreRequest& request) const; /** *

Disconnects the custom * key store from its associated AWS CloudHSM cluster. While a custom key store * is disconnected, you can manage the custom key store and its customer master * keys (CMKs), but you cannot create or use CMKs in the custom key store. You can * reconnect the custom key store at any time.

While a custom key * store is disconnected, all attempts to create customer master keys (CMKs) in the * custom key store or to use existing CMKs in cryptographic * operations will fail. This action can prevent users from storing and * accessing sensitive data.

To find the connection state of a * custom key store, use the DescribeCustomKeyStores operation. To reconnect * a custom key store, use the ConnectCustomKeyStore operation.

If * the operation succeeds, it returns a JSON object with no properties.

This * operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void DisconnectCustomKeyStoreAsync(const Model::DisconnectCustomKeyStoreRequest& request, const DisconnectCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Sets the key state of a customer master key (CMK) to enabled. This allows you * to use the CMK for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::EnableKeyOutcome EnableKey(const Model::EnableKeyRequest& request) const; /** *

Sets the key state of a customer master key (CMK) to enabled. This allows you * to use the CMK for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::EnableKeyOutcomeCallable EnableKeyCallable(const Model::EnableKeyRequest& request) const; /** *

Sets the key state of a customer master key (CMK) to enabled. This allows you * to use the CMK for cryptographic * operations. You cannot perform this operation on a CMK in a different AWS * account.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void EnableKeyAsync(const Model::EnableKeyRequest& request, const EnableKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Enables automatic * rotation of the key material for the specified symmetric customer master key * (CMK). You cannot perform this operation on a CMK in a different AWS * account.

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::EnableKeyRotationOutcome EnableKeyRotation(const Model::EnableKeyRotationRequest& request) const; /** *

Enables automatic * rotation of the key material for the specified symmetric customer master key * (CMK). You cannot perform this operation on a CMK in a different AWS * account.

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::EnableKeyRotationOutcomeCallable EnableKeyRotationCallable(const Model::EnableKeyRotationRequest& request) const; /** *

Enables automatic * rotation of the key material for the specified symmetric customer master key * (CMK). You cannot perform this operation on a CMK in a different AWS * account.

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void EnableKeyRotationAsync(const Model::EnableKeyRotationRequest& request, const EnableKeyRotationResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Encrypts plaintext into ciphertext by using a customer master key (CMK). The * Encrypt operation has two primary use cases:

  • You * can encrypt small amounts of arbitrary data, such as a personal identifier or * database password, or other sensitive information.

  • You can * use the Encrypt operation to move encrypted data from one AWS * Region to another. For example, in Region A, generate a data key and use the * plaintext key to encrypt your data. Then, in Region A, use the * Encrypt operation to encrypt the plaintext data key under a CMK in * Region B. Now, you can move the encrypted data and the encrypted data key to * Region B. When necessary, you can decrypt the encrypted data key and the * encrypted data entirely within in Region B.

You don't need to * use the Encrypt operation to encrypt a data key. The * GenerateDataKey and GenerateDataKeyPair operations return a * plaintext data key and an encrypted copy of that data key.

When you * encrypt data, you must specify a symmetric or asymmetric CMK to use in the * encryption operation. The CMK must have a KeyUsage value of * ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use * the DescribeKey operation.

If you use a symmetric CMK, you can * use an encryption context to add additional security to your encryption * operation. If you specify an EncryptionContext when encrypting * data, you must specify the same encryption context (a case-sensitive exact * match) when decrypting the data. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

If * you specify an asymmetric CMK, you must also specify the encryption algorithm. * The algorithm must be compatible with the CMK type.

When you * use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK * and encryption algorithm that you choose. You will be required to provide the * same CMK and encryption algorithm when you decrypt the data. If the CMK and * algorithm do not match the values used to encrypt the data, the decrypt * operation fails.

You are not required to supply the CMK ID and encryption * algorithm when you decrypt with symmetric CMKs because AWS KMS stores this * information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext * generated with asymmetric keys. The standard format for asymmetric key * ciphertext does not include configurable fields.

The maximum * size of the data that you can encrypt varies with the type of CMK and the * encryption algorithm that you choose.

  • Symmetric CMKs

      *

    • SYMMETRIC_DEFAULT: 4096 bytes

  • *

    RSA_2048

    • RSAES_OAEP_SHA_1: 214 * bytes

    • RSAES_OAEP_SHA_256: 190 bytes

      • *

  • RSA_3072

    • * RSAES_OAEP_SHA_1: 342 bytes

    • * RSAES_OAEP_SHA_256: 318 bytes

  • * RSA_4096

    • RSAES_OAEP_SHA_1: 470 * bytes

    • RSAES_OAEP_SHA_256: 446 bytes

      • *

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

To perform this operation on a CMK in a * different AWS account, specify the key ARN or alias ARN in the value of the * KeyId parameter.

See Also:

AWS API * Reference

*/ virtual Model::EncryptOutcome Encrypt(const Model::EncryptRequest& request) const; /** *

Encrypts plaintext into ciphertext by using a customer master key (CMK). The * Encrypt operation has two primary use cases:

  • You * can encrypt small amounts of arbitrary data, such as a personal identifier or * database password, or other sensitive information.

  • You can * use the Encrypt operation to move encrypted data from one AWS * Region to another. For example, in Region A, generate a data key and use the * plaintext key to encrypt your data. Then, in Region A, use the * Encrypt operation to encrypt the plaintext data key under a CMK in * Region B. Now, you can move the encrypted data and the encrypted data key to * Region B. When necessary, you can decrypt the encrypted data key and the * encrypted data entirely within in Region B.

You don't need to * use the Encrypt operation to encrypt a data key. The * GenerateDataKey and GenerateDataKeyPair operations return a * plaintext data key and an encrypted copy of that data key.

When you * encrypt data, you must specify a symmetric or asymmetric CMK to use in the * encryption operation. The CMK must have a KeyUsage value of * ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use * the DescribeKey operation.

If you use a symmetric CMK, you can * use an encryption context to add additional security to your encryption * operation. If you specify an EncryptionContext when encrypting * data, you must specify the same encryption context (a case-sensitive exact * match) when decrypting the data. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

If * you specify an asymmetric CMK, you must also specify the encryption algorithm. * The algorithm must be compatible with the CMK type.

When you * use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK * and encryption algorithm that you choose. You will be required to provide the * same CMK and encryption algorithm when you decrypt the data. If the CMK and * algorithm do not match the values used to encrypt the data, the decrypt * operation fails.

You are not required to supply the CMK ID and encryption * algorithm when you decrypt with symmetric CMKs because AWS KMS stores this * information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext * generated with asymmetric keys. The standard format for asymmetric key * ciphertext does not include configurable fields.

The maximum * size of the data that you can encrypt varies with the type of CMK and the * encryption algorithm that you choose.

  • Symmetric CMKs

      *

    • SYMMETRIC_DEFAULT: 4096 bytes

  • *

    RSA_2048

    • RSAES_OAEP_SHA_1: 214 * bytes

    • RSAES_OAEP_SHA_256: 190 bytes

      • *

  • RSA_3072

    • * RSAES_OAEP_SHA_1: 342 bytes

    • * RSAES_OAEP_SHA_256: 318 bytes

  • * RSA_4096

    • RSAES_OAEP_SHA_1: 470 * bytes

    • RSAES_OAEP_SHA_256: 446 bytes

      • *

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

To perform this operation on a CMK in a * different AWS account, specify the key ARN or alias ARN in the value of the * KeyId parameter.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::EncryptOutcomeCallable EncryptCallable(const Model::EncryptRequest& request) const; /** *

Encrypts plaintext into ciphertext by using a customer master key (CMK). The * Encrypt operation has two primary use cases:

  • You * can encrypt small amounts of arbitrary data, such as a personal identifier or * database password, or other sensitive information.

  • You can * use the Encrypt operation to move encrypted data from one AWS * Region to another. For example, in Region A, generate a data key and use the * plaintext key to encrypt your data. Then, in Region A, use the * Encrypt operation to encrypt the plaintext data key under a CMK in * Region B. Now, you can move the encrypted data and the encrypted data key to * Region B. When necessary, you can decrypt the encrypted data key and the * encrypted data entirely within in Region B.

You don't need to * use the Encrypt operation to encrypt a data key. The * GenerateDataKey and GenerateDataKeyPair operations return a * plaintext data key and an encrypted copy of that data key.

When you * encrypt data, you must specify a symmetric or asymmetric CMK to use in the * encryption operation. The CMK must have a KeyUsage value of * ENCRYPT_DECRYPT. To find the KeyUsage of a CMK, use * the DescribeKey operation.

If you use a symmetric CMK, you can * use an encryption context to add additional security to your encryption * operation. If you specify an EncryptionContext when encrypting * data, you must specify the same encryption context (a case-sensitive exact * match) when decrypting the data. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

If * you specify an asymmetric CMK, you must also specify the encryption algorithm. * The algorithm must be compatible with the CMK type.

When you * use an asymmetric CMK to encrypt or reencrypt data, be sure to record the CMK * and encryption algorithm that you choose. You will be required to provide the * same CMK and encryption algorithm when you decrypt the data. If the CMK and * algorithm do not match the values used to encrypt the data, the decrypt * operation fails.

You are not required to supply the CMK ID and encryption * algorithm when you decrypt with symmetric CMKs because AWS KMS stores this * information in the ciphertext blob. AWS KMS cannot store metadata in ciphertext * generated with asymmetric keys. The standard format for asymmetric key * ciphertext does not include configurable fields.

The maximum * size of the data that you can encrypt varies with the type of CMK and the * encryption algorithm that you choose.

  • Symmetric CMKs

      *

    • SYMMETRIC_DEFAULT: 4096 bytes

  • *

    RSA_2048

    • RSAES_OAEP_SHA_1: 214 * bytes

    • RSAES_OAEP_SHA_256: 190 bytes

      • *

  • RSA_3072

    • * RSAES_OAEP_SHA_1: 342 bytes

    • * RSAES_OAEP_SHA_256: 318 bytes

  • * RSA_4096

    • RSAES_OAEP_SHA_1: 470 * bytes

    • RSAES_OAEP_SHA_256: 446 bytes

      • *

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

To perform this operation on a CMK in a * different AWS account, specify the key ARN or alias ARN in the value of the * KeyId parameter.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void EncryptAsync(const Model::EncryptRequest& request, const EncryptResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Generates a unique symmetric data key for client-side encryption. This * operation returns a plaintext copy of the data key and a copy that is encrypted * under a customer master key (CMK) that you specify. You can use the plaintext * key to encrypt your data outside of AWS KMS and store the encrypted data key * with the encrypted data.

GenerateDataKey returns a unique * data key for each request. The bytes in the plaintext key are not related to the * caller or the CMK.

To generate a data key, specify the symmetric CMK that * will be used to encrypt the data key. You cannot use an asymmetric CMK to * generate data keys. To get the type of your CMK, use the DescribeKey * operation. You must also specify the length of the data key. Use either the * KeySpec or NumberOfBytes parameters (but not both). * For 128-bit and 256-bit data keys, use the KeySpec parameter.

*

To get only an encrypted copy of the data key, use * GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, * use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext * operation. To get a cryptographically secure random byte string, use * GenerateRandom.

You can use the optional encryption context to add * additional security to the encryption operation. If you specify an * EncryptionContext, you must specify the same encryption context (a * case-sensitive exact match) when decrypting the encrypted data key. Otherwise, * the request to decrypt fails with an InvalidCiphertextException. * For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

How to use your data key

We * recommend that you use the following pattern to encrypt data locally in your * application. You can write your own code or use a client-side encryption * library, such as the AWS * Encryption SDK, the Amazon * DynamoDB Encryption Client, or Amazon * S3 client-side encryption to do these tasks for you.

To encrypt data * outside of AWS KMS:

  1. Use the GenerateDataKey * operation to get a data key.

  2. Use the plaintext data key (in * the Plaintext field of the response) to encrypt your data outside * of AWS KMS. Then erase the plaintext data key from memory.

  3. *

    Store the encrypted data key (in the CiphertextBlob field of the * response) with the encrypted data.

To decrypt data outside of * AWS KMS:

  1. Use the Decrypt operation to decrypt the * encrypted data key. The operation returns a plaintext copy of the data key.

    *

  2. Use the plaintext data key to decrypt data outside of AWS KMS, * then erase the plaintext data key from memory.

See * Also:

AWS * API Reference

*/ virtual Model::GenerateDataKeyOutcome GenerateDataKey(const Model::GenerateDataKeyRequest& request) const; /** *

Generates a unique symmetric data key for client-side encryption. This * operation returns a plaintext copy of the data key and a copy that is encrypted * under a customer master key (CMK) that you specify. You can use the plaintext * key to encrypt your data outside of AWS KMS and store the encrypted data key * with the encrypted data.

GenerateDataKey returns a unique * data key for each request. The bytes in the plaintext key are not related to the * caller or the CMK.

To generate a data key, specify the symmetric CMK that * will be used to encrypt the data key. You cannot use an asymmetric CMK to * generate data keys. To get the type of your CMK, use the DescribeKey * operation. You must also specify the length of the data key. Use either the * KeySpec or NumberOfBytes parameters (but not both). * For 128-bit and 256-bit data keys, use the KeySpec parameter.

*

To get only an encrypted copy of the data key, use * GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, * use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext * operation. To get a cryptographically secure random byte string, use * GenerateRandom.

You can use the optional encryption context to add * additional security to the encryption operation. If you specify an * EncryptionContext, you must specify the same encryption context (a * case-sensitive exact match) when decrypting the encrypted data key. Otherwise, * the request to decrypt fails with an InvalidCiphertextException. * For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

How to use your data key

We * recommend that you use the following pattern to encrypt data locally in your * application. You can write your own code or use a client-side encryption * library, such as the AWS * Encryption SDK, the Amazon * DynamoDB Encryption Client, or Amazon * S3 client-side encryption to do these tasks for you.

To encrypt data * outside of AWS KMS:

  1. Use the GenerateDataKey * operation to get a data key.

  2. Use the plaintext data key (in * the Plaintext field of the response) to encrypt your data outside * of AWS KMS. Then erase the plaintext data key from memory.

  3. *

    Store the encrypted data key (in the CiphertextBlob field of the * response) with the encrypted data.

To decrypt data outside of * AWS KMS:

  1. Use the Decrypt operation to decrypt the * encrypted data key. The operation returns a plaintext copy of the data key.

    *

  2. Use the plaintext data key to decrypt data outside of AWS KMS, * then erase the plaintext data key from memory.

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GenerateDataKeyOutcomeCallable GenerateDataKeyCallable(const Model::GenerateDataKeyRequest& request) const; /** *

Generates a unique symmetric data key for client-side encryption. This * operation returns a plaintext copy of the data key and a copy that is encrypted * under a customer master key (CMK) that you specify. You can use the plaintext * key to encrypt your data outside of AWS KMS and store the encrypted data key * with the encrypted data.

GenerateDataKey returns a unique * data key for each request. The bytes in the plaintext key are not related to the * caller or the CMK.

To generate a data key, specify the symmetric CMK that * will be used to encrypt the data key. You cannot use an asymmetric CMK to * generate data keys. To get the type of your CMK, use the DescribeKey * operation. You must also specify the length of the data key. Use either the * KeySpec or NumberOfBytes parameters (but not both). * For 128-bit and 256-bit data keys, use the KeySpec parameter.

*

To get only an encrypted copy of the data key, use * GenerateDataKeyWithoutPlaintext. To generate an asymmetric data key pair, * use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext * operation. To get a cryptographically secure random byte string, use * GenerateRandom.

You can use the optional encryption context to add * additional security to the encryption operation. If you specify an * EncryptionContext, you must specify the same encryption context (a * case-sensitive exact match) when decrypting the encrypted data key. Otherwise, * the request to decrypt fails with an InvalidCiphertextException. * For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

How to use your data key

We * recommend that you use the following pattern to encrypt data locally in your * application. You can write your own code or use a client-side encryption * library, such as the AWS * Encryption SDK, the Amazon * DynamoDB Encryption Client, or Amazon * S3 client-side encryption to do these tasks for you.

To encrypt data * outside of AWS KMS:

  1. Use the GenerateDataKey * operation to get a data key.

  2. Use the plaintext data key (in * the Plaintext field of the response) to encrypt your data outside * of AWS KMS. Then erase the plaintext data key from memory.

  3. *

    Store the encrypted data key (in the CiphertextBlob field of the * response) with the encrypted data.

To decrypt data outside of * AWS KMS:

  1. Use the Decrypt operation to decrypt the * encrypted data key. The operation returns a plaintext copy of the data key.

    *

  2. Use the plaintext data key to decrypt data outside of AWS KMS, * then erase the plaintext data key from memory.

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GenerateDataKeyAsync(const Model::GenerateDataKeyRequest& request, const GenerateDataKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPair operation returns a plaintext public key, a * plaintext private key, and a copy of the private key that is encrypted under the * symmetric CMK you specify. You can use the data key pair to perform asymmetric * cryptography outside of AWS KMS.

GenerateDataKeyPair * returns a unique data key pair for each request. The bytes in the keys are not * related to the caller or the CMK that is used to encrypt the private key.

*

You can use the public key that GenerateDataKeyPair returns to * encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted * private key with the data. When you are ready to decrypt data or sign a message, * you can use the Decrypt operation to decrypt the encrypted private * key.

To generate a data key pair, you must specify a symmetric customer * master key (CMK) to encrypt the private key in a data key pair. You cannot use * an asymmetric CMK or a CMK in a custom key store. To get the type and origin of * your CMK, use the DescribeKey operation.

If you are using the * data key pair to encrypt data, or for any operation where you don't immediately * need a private key, consider using the * GenerateDataKeyPairWithoutPlaintext operation. * GenerateDataKeyPairWithoutPlaintext returns a plaintext public key * and an encrypted private key, but omits the plaintext private key that you need * only to decrypt ciphertext or sign a message. Later, when you need to decrypt * the data or sign a message, use the Decrypt operation to decrypt the * encrypted private key in the data key pair.

You can use the optional * encryption context to add additional security to the encryption operation. If * you specify an EncryptionContext, you must specify the same * encryption context (a case-sensitive exact match) when decrypting the encrypted * data key. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::GenerateDataKeyPairOutcome GenerateDataKeyPair(const Model::GenerateDataKeyPairRequest& request) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPair operation returns a plaintext public key, a * plaintext private key, and a copy of the private key that is encrypted under the * symmetric CMK you specify. You can use the data key pair to perform asymmetric * cryptography outside of AWS KMS.

GenerateDataKeyPair * returns a unique data key pair for each request. The bytes in the keys are not * related to the caller or the CMK that is used to encrypt the private key.

*

You can use the public key that GenerateDataKeyPair returns to * encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted * private key with the data. When you are ready to decrypt data or sign a message, * you can use the Decrypt operation to decrypt the encrypted private * key.

To generate a data key pair, you must specify a symmetric customer * master key (CMK) to encrypt the private key in a data key pair. You cannot use * an asymmetric CMK or a CMK in a custom key store. To get the type and origin of * your CMK, use the DescribeKey operation.

If you are using the * data key pair to encrypt data, or for any operation where you don't immediately * need a private key, consider using the * GenerateDataKeyPairWithoutPlaintext operation. * GenerateDataKeyPairWithoutPlaintext returns a plaintext public key * and an encrypted private key, but omits the plaintext private key that you need * only to decrypt ciphertext or sign a message. Later, when you need to decrypt * the data or sign a message, use the Decrypt operation to decrypt the * encrypted private key in the data key pair.

You can use the optional * encryption context to add additional security to the encryption operation. If * you specify an EncryptionContext, you must specify the same * encryption context (a case-sensitive exact match) when decrypting the encrypted * data key. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GenerateDataKeyPairOutcomeCallable GenerateDataKeyPairCallable(const Model::GenerateDataKeyPairRequest& request) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPair operation returns a plaintext public key, a * plaintext private key, and a copy of the private key that is encrypted under the * symmetric CMK you specify. You can use the data key pair to perform asymmetric * cryptography outside of AWS KMS.

GenerateDataKeyPair * returns a unique data key pair for each request. The bytes in the keys are not * related to the caller or the CMK that is used to encrypt the private key.

*

You can use the public key that GenerateDataKeyPair returns to * encrypt data or verify a signature outside of AWS KMS. Then, store the encrypted * private key with the data. When you are ready to decrypt data or sign a message, * you can use the Decrypt operation to decrypt the encrypted private * key.

To generate a data key pair, you must specify a symmetric customer * master key (CMK) to encrypt the private key in a data key pair. You cannot use * an asymmetric CMK or a CMK in a custom key store. To get the type and origin of * your CMK, use the DescribeKey operation.

If you are using the * data key pair to encrypt data, or for any operation where you don't immediately * need a private key, consider using the * GenerateDataKeyPairWithoutPlaintext operation. * GenerateDataKeyPairWithoutPlaintext returns a plaintext public key * and an encrypted private key, but omits the plaintext private key that you need * only to decrypt ciphertext or sign a message. Later, when you need to decrypt * the data or sign a message, use the Decrypt operation to decrypt the * encrypted private key in the data key pair.

You can use the optional * encryption context to add additional security to the encryption operation. If * you specify an EncryptionContext, you must specify the same * encryption context (a case-sensitive exact match) when decrypting the encrypted * data key. Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GenerateDataKeyPairAsync(const Model::GenerateDataKeyPairRequest& request, const GenerateDataKeyPairResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPairWithoutPlaintext operation returns a plaintext * public key and a copy of the private key that is encrypted under the symmetric * CMK you specify. Unlike GenerateDataKeyPair, this operation does not * return a plaintext private key.

To generate a data key pair, you must * specify a symmetric customer master key (CMK) to encrypt the private key in the * data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. * To get the type and origin of your CMK, use the KeySpec field in * the DescribeKey response.

You can use the public key that * GenerateDataKeyPairWithoutPlaintext returns to encrypt data or * verify a signature outside of AWS KMS. Then, store the encrypted private key * with the data. When you are ready to decrypt data or sign a message, you can use * the Decrypt operation to decrypt the encrypted private key.

* GenerateDataKeyPairWithoutPlaintext returns a unique data key pair * for each request. The bytes in the key are not related to the caller or CMK that * is used to encrypt the private key.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::GenerateDataKeyPairWithoutPlaintextOutcome GenerateDataKeyPairWithoutPlaintext(const Model::GenerateDataKeyPairWithoutPlaintextRequest& request) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPairWithoutPlaintext operation returns a plaintext * public key and a copy of the private key that is encrypted under the symmetric * CMK you specify. Unlike GenerateDataKeyPair, this operation does not * return a plaintext private key.

To generate a data key pair, you must * specify a symmetric customer master key (CMK) to encrypt the private key in the * data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. * To get the type and origin of your CMK, use the KeySpec field in * the DescribeKey response.

You can use the public key that * GenerateDataKeyPairWithoutPlaintext returns to encrypt data or * verify a signature outside of AWS KMS. Then, store the encrypted private key * with the data. When you are ready to decrypt data or sign a message, you can use * the Decrypt operation to decrypt the encrypted private key.

* GenerateDataKeyPairWithoutPlaintext returns a unique data key pair * for each request. The bytes in the key are not related to the caller or CMK that * is used to encrypt the private key.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GenerateDataKeyPairWithoutPlaintextOutcomeCallable GenerateDataKeyPairWithoutPlaintextCallable(const Model::GenerateDataKeyPairWithoutPlaintextRequest& request) const; /** *

Generates a unique asymmetric data key pair. The * GenerateDataKeyPairWithoutPlaintext operation returns a plaintext * public key and a copy of the private key that is encrypted under the symmetric * CMK you specify. Unlike GenerateDataKeyPair, this operation does not * return a plaintext private key.

To generate a data key pair, you must * specify a symmetric customer master key (CMK) to encrypt the private key in the * data key pair. You cannot use an asymmetric CMK or a CMK in a custom key store. * To get the type and origin of your CMK, use the KeySpec field in * the DescribeKey response.

You can use the public key that * GenerateDataKeyPairWithoutPlaintext returns to encrypt data or * verify a signature outside of AWS KMS. Then, store the encrypted private key * with the data. When you are ready to decrypt data or sign a message, you can use * the Decrypt operation to decrypt the encrypted private key.

* GenerateDataKeyPairWithoutPlaintext returns a unique data key pair * for each request. The bytes in the key are not related to the caller or CMK that * is used to encrypt the private key.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GenerateDataKeyPairWithoutPlaintextAsync(const Model::GenerateDataKeyPairWithoutPlaintextRequest& request, const GenerateDataKeyPairWithoutPlaintextResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Generates a unique symmetric data key. This operation returns a data key that * is encrypted under a customer master key (CMK) that you specify. To request an * asymmetric data key pair, use the GenerateDataKeyPair or * GenerateDataKeyPairWithoutPlaintext operations.

* GenerateDataKeyWithoutPlaintext is identical to the * GenerateDataKey operation except that returns only the encrypted copy of * the data key. This operation is useful for systems that need to encrypt data at * some point, but not immediately. When you need to encrypt the data, you call the * Decrypt operation on the encrypted copy of the key.

It's also * useful in distributed systems with different levels of trust. For example, you * might store encrypted data in containers. One component of your system creates * new containers and stores an encrypted data key with each container. Then, a * different component puts the data into the containers. That component first * decrypts the data key, uses the plaintext data key to encrypt data, puts the * encrypted data into the container, and then destroys the plaintext data key. In * this system, the component that creates the containers never sees the plaintext * data key.

GenerateDataKeyWithoutPlaintext returns a unique * data key for each request. The bytes in the keys are not related to the caller * or CMK that is used to encrypt the private key.

To generate a data key, * you must specify the symmetric customer master key (CMK) that is used to encrypt * the data key. You cannot use an asymmetric CMK to generate a data key. To get * the type of your CMK, use the DescribeKey operation.

If the * operation succeeds, you will find the encrypted copy of the data key in the * CiphertextBlob field.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::GenerateDataKeyWithoutPlaintextOutcome GenerateDataKeyWithoutPlaintext(const Model::GenerateDataKeyWithoutPlaintextRequest& request) const; /** *

Generates a unique symmetric data key. This operation returns a data key that * is encrypted under a customer master key (CMK) that you specify. To request an * asymmetric data key pair, use the GenerateDataKeyPair or * GenerateDataKeyPairWithoutPlaintext operations.

* GenerateDataKeyWithoutPlaintext is identical to the * GenerateDataKey operation except that returns only the encrypted copy of * the data key. This operation is useful for systems that need to encrypt data at * some point, but not immediately. When you need to encrypt the data, you call the * Decrypt operation on the encrypted copy of the key.

It's also * useful in distributed systems with different levels of trust. For example, you * might store encrypted data in containers. One component of your system creates * new containers and stores an encrypted data key with each container. Then, a * different component puts the data into the containers. That component first * decrypts the data key, uses the plaintext data key to encrypt data, puts the * encrypted data into the container, and then destroys the plaintext data key. In * this system, the component that creates the containers never sees the plaintext * data key.

GenerateDataKeyWithoutPlaintext returns a unique * data key for each request. The bytes in the keys are not related to the caller * or CMK that is used to encrypt the private key.

To generate a data key, * you must specify the symmetric customer master key (CMK) that is used to encrypt * the data key. You cannot use an asymmetric CMK to generate a data key. To get * the type of your CMK, use the DescribeKey operation.

If the * operation succeeds, you will find the encrypted copy of the data key in the * CiphertextBlob field.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GenerateDataKeyWithoutPlaintextOutcomeCallable GenerateDataKeyWithoutPlaintextCallable(const Model::GenerateDataKeyWithoutPlaintextRequest& request) const; /** *

Generates a unique symmetric data key. This operation returns a data key that * is encrypted under a customer master key (CMK) that you specify. To request an * asymmetric data key pair, use the GenerateDataKeyPair or * GenerateDataKeyPairWithoutPlaintext operations.

* GenerateDataKeyWithoutPlaintext is identical to the * GenerateDataKey operation except that returns only the encrypted copy of * the data key. This operation is useful for systems that need to encrypt data at * some point, but not immediately. When you need to encrypt the data, you call the * Decrypt operation on the encrypted copy of the key.

It's also * useful in distributed systems with different levels of trust. For example, you * might store encrypted data in containers. One component of your system creates * new containers and stores an encrypted data key with each container. Then, a * different component puts the data into the containers. That component first * decrypts the data key, uses the plaintext data key to encrypt data, puts the * encrypted data into the container, and then destroys the plaintext data key. In * this system, the component that creates the containers never sees the plaintext * data key.

GenerateDataKeyWithoutPlaintext returns a unique * data key for each request. The bytes in the keys are not related to the caller * or CMK that is used to encrypt the private key.

To generate a data key, * you must specify the symmetric customer master key (CMK) that is used to encrypt * the data key. You cannot use an asymmetric CMK to generate a data key. To get * the type of your CMK, use the DescribeKey operation.

If the * operation succeeds, you will find the encrypted copy of the data key in the * CiphertextBlob field.

You can use the optional encryption * context to add additional security to the encryption operation. If you specify * an EncryptionContext, you must specify the same encryption context * (a case-sensitive exact match) when decrypting the encrypted data key. * Otherwise, the request to decrypt fails with an * InvalidCiphertextException. For more information, see Encryption * Context in the AWS Key Management Service Developer Guide.

The * CMK that you use for this operation must be in a compatible key state. For * details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GenerateDataKeyWithoutPlaintextAsync(const Model::GenerateDataKeyWithoutPlaintextRequest& request, const GenerateDataKeyWithoutPlaintextResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Returns a random byte string that is cryptographically secure.

By * default, the random byte string is generated in AWS KMS. To generate the byte * string in the AWS CloudHSM cluster that is associated with a custom * key store, specify the custom key store ID.

For more information * about entropy and random number generation, see the AWS * Key Management Service Cryptographic Details whitepaper.

See * Also:

AWS * API Reference

*/ virtual Model::GenerateRandomOutcome GenerateRandom(const Model::GenerateRandomRequest& request) const; /** *

Returns a random byte string that is cryptographically secure.

By * default, the random byte string is generated in AWS KMS. To generate the byte * string in the AWS CloudHSM cluster that is associated with a custom * key store, specify the custom key store ID.

For more information * about entropy and random number generation, see the AWS * Key Management Service Cryptographic Details whitepaper.

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GenerateRandomOutcomeCallable GenerateRandomCallable(const Model::GenerateRandomRequest& request) const; /** *

Returns a random byte string that is cryptographically secure.

By * default, the random byte string is generated in AWS KMS. To generate the byte * string in the AWS CloudHSM cluster that is associated with a custom * key store, specify the custom key store ID.

For more information * about entropy and random number generation, see the AWS * Key Management Service Cryptographic Details whitepaper.

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GenerateRandomAsync(const Model::GenerateRandomRequest& request, const GenerateRandomResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets a key policy attached to the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

See * Also:

AWS * API Reference

*/ virtual Model::GetKeyPolicyOutcome GetKeyPolicy(const Model::GetKeyPolicyRequest& request) const; /** *

Gets a key policy attached to the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

See * Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetKeyPolicyOutcomeCallable GetKeyPolicyCallable(const Model::GetKeyPolicyRequest& request) const; /** *

Gets a key policy attached to the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

See * Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetKeyPolicyAsync(const Model::GetKeyPolicyRequest& request, const GetKeyPolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets a Boolean value that indicates whether automatic * rotation of the key material is enabled for the specified customer master * key (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. The key rotation status for these CMKs is always * false.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

  • Disabled: The key rotation status * does not change when you disable a CMK. However, while the CMK is disabled, AWS * KMS does not rotate the backing key.

  • Pending deletion: While a * CMK is pending deletion, its key rotation status is false and AWS * KMS does not rotate the backing key. If you cancel the deletion, the original * key rotation status is restored.

To perform this operation on * a CMK in a different AWS account, specify the key ARN in the value of the * KeyId parameter.

See Also:

AWS * API Reference

*/ virtual Model::GetKeyRotationStatusOutcome GetKeyRotationStatus(const Model::GetKeyRotationStatusRequest& request) const; /** *

Gets a Boolean value that indicates whether automatic * rotation of the key material is enabled for the specified customer master * key (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. The key rotation status for these CMKs is always * false.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

  • Disabled: The key rotation status * does not change when you disable a CMK. However, while the CMK is disabled, AWS * KMS does not rotate the backing key.

  • Pending deletion: While a * CMK is pending deletion, its key rotation status is false and AWS * KMS does not rotate the backing key. If you cancel the deletion, the original * key rotation status is restored.

To perform this operation on * a CMK in a different AWS account, specify the key ARN in the value of the * KeyId parameter.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetKeyRotationStatusOutcomeCallable GetKeyRotationStatusCallable(const Model::GetKeyRotationStatusRequest& request) const; /** *

Gets a Boolean value that indicates whether automatic * rotation of the key material is enabled for the specified customer master * key (CMK).

You cannot enable automatic rotation of asymmetric CMKs, CMKs * with imported key material, or CMKs in a custom * key store. The key rotation status for these CMKs is always * false.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

  • Disabled: The key rotation status * does not change when you disable a CMK. However, while the CMK is disabled, AWS * KMS does not rotate the backing key.

  • Pending deletion: While a * CMK is pending deletion, its key rotation status is false and AWS * KMS does not rotate the backing key. If you cancel the deletion, the original * key rotation status is restored.

To perform this operation on * a CMK in a different AWS account, specify the key ARN in the value of the * KeyId parameter.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetKeyRotationStatusAsync(const Model::GetKeyRotationStatusRequest& request, const GetKeyRotationStatusResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Returns the items you need to import key material into a symmetric, customer * managed customer master key (CMK). For more information about importing key * material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

This operation returns a public key and an import token. Use the public key * to encrypt the symmetric key material. Store the import token to send with a * subsequent ImportKeyMaterial request.

You must specify the key ID * of the symmetric CMK into which you will import key material. This CMK's * Origin must be EXTERNAL. You must also specify the * wrapping algorithm and type of wrapping key (public key) that you will use to * encrypt the key material. You cannot perform this operation on an asymmetric CMK * or on any CMK in a different AWS account.

To import key material, you * must use the public key and import token from the same response. These items are * valid for 24 hours. The expiration date and time appear in the * GetParametersForImport response. You cannot use an expired token in * an ImportKeyMaterial request. If your key and token expire, send another * GetParametersForImport request.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::GetParametersForImportOutcome GetParametersForImport(const Model::GetParametersForImportRequest& request) const; /** *

Returns the items you need to import key material into a symmetric, customer * managed customer master key (CMK). For more information about importing key * material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

This operation returns a public key and an import token. Use the public key * to encrypt the symmetric key material. Store the import token to send with a * subsequent ImportKeyMaterial request.

You must specify the key ID * of the symmetric CMK into which you will import key material. This CMK's * Origin must be EXTERNAL. You must also specify the * wrapping algorithm and type of wrapping key (public key) that you will use to * encrypt the key material. You cannot perform this operation on an asymmetric CMK * or on any CMK in a different AWS account.

To import key material, you * must use the public key and import token from the same response. These items are * valid for 24 hours. The expiration date and time appear in the * GetParametersForImport response. You cannot use an expired token in * an ImportKeyMaterial request. If your key and token expire, send another * GetParametersForImport request.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetParametersForImportOutcomeCallable GetParametersForImportCallable(const Model::GetParametersForImportRequest& request) const; /** *

Returns the items you need to import key material into a symmetric, customer * managed customer master key (CMK). For more information about importing key * material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

This operation returns a public key and an import token. Use the public key * to encrypt the symmetric key material. Store the import token to send with a * subsequent ImportKeyMaterial request.

You must specify the key ID * of the symmetric CMK into which you will import key material. This CMK's * Origin must be EXTERNAL. You must also specify the * wrapping algorithm and type of wrapping key (public key) that you will use to * encrypt the key material. You cannot perform this operation on an asymmetric CMK * or on any CMK in a different AWS account.

To import key material, you * must use the public key and import token from the same response. These items are * valid for 24 hours. The expiration date and time appear in the * GetParametersForImport response. You cannot use an expired token in * an ImportKeyMaterial request. If your key and token expire, send another * GetParametersForImport request.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetParametersForImportAsync(const Model::GetParametersForImportRequest& request, const GetParametersForImportResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Returns the public key of an asymmetric CMK. Unlike the private key of a * asymmetric CMK, which never leaves AWS KMS unencrypted, callers with * kms:GetPublicKey permission can download the public key of an * asymmetric CMK. You can share the public key to allow others to encrypt messages * and verify signatures outside of AWS KMS. For information about symmetric and * asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

You do not need to download the public key. Instead, you can * use the public key within AWS KMS by calling the Encrypt, * ReEncrypt, or Verify operations with the identifier of an * asymmetric CMK. When you use the public key within AWS KMS, you benefit from the * authentication, authorization, and logging that are part of every AWS KMS * operation. You also reduce of risk of encrypting data that cannot be decrypted. * These features are not effective outside of AWS KMS. For details, see Special * Considerations for Downloading Public Keys.

To help you use the * public key safely outside of AWS KMS, GetPublicKey returns * important information about the public key in the response, including:

Although AWS KMS cannot enforce these restrictions on external * operations, it is crucial that you use this information to prevent the public * key from being used improperly. For example, you can prevent a public signing * key from being used encrypt data, or prevent a public key from being used with * an encryption algorithm that is not supported by AWS KMS. You can also avoid * errors, such as using the wrong signing algorithm in a verification * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::GetPublicKeyOutcome GetPublicKey(const Model::GetPublicKeyRequest& request) const; /** *

Returns the public key of an asymmetric CMK. Unlike the private key of a * asymmetric CMK, which never leaves AWS KMS unencrypted, callers with * kms:GetPublicKey permission can download the public key of an * asymmetric CMK. You can share the public key to allow others to encrypt messages * and verify signatures outside of AWS KMS. For information about symmetric and * asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

You do not need to download the public key. Instead, you can * use the public key within AWS KMS by calling the Encrypt, * ReEncrypt, or Verify operations with the identifier of an * asymmetric CMK. When you use the public key within AWS KMS, you benefit from the * authentication, authorization, and logging that are part of every AWS KMS * operation. You also reduce of risk of encrypting data that cannot be decrypted. * These features are not effective outside of AWS KMS. For details, see Special * Considerations for Downloading Public Keys.

To help you use the * public key safely outside of AWS KMS, GetPublicKey returns * important information about the public key in the response, including:

Although AWS KMS cannot enforce these restrictions on external * operations, it is crucial that you use this information to prevent the public * key from being used improperly. For example, you can prevent a public signing * key from being used encrypt data, or prevent a public key from being used with * an encryption algorithm that is not supported by AWS KMS. You can also avoid * errors, such as using the wrong signing algorithm in a verification * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::GetPublicKeyOutcomeCallable GetPublicKeyCallable(const Model::GetPublicKeyRequest& request) const; /** *

Returns the public key of an asymmetric CMK. Unlike the private key of a * asymmetric CMK, which never leaves AWS KMS unencrypted, callers with * kms:GetPublicKey permission can download the public key of an * asymmetric CMK. You can share the public key to allow others to encrypt messages * and verify signatures outside of AWS KMS. For information about symmetric and * asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

You do not need to download the public key. Instead, you can * use the public key within AWS KMS by calling the Encrypt, * ReEncrypt, or Verify operations with the identifier of an * asymmetric CMK. When you use the public key within AWS KMS, you benefit from the * authentication, authorization, and logging that are part of every AWS KMS * operation. You also reduce of risk of encrypting data that cannot be decrypted. * These features are not effective outside of AWS KMS. For details, see Special * Considerations for Downloading Public Keys.

To help you use the * public key safely outside of AWS KMS, GetPublicKey returns * important information about the public key in the response, including:

Although AWS KMS cannot enforce these restrictions on external * operations, it is crucial that you use this information to prevent the public * key from being used improperly. For example, you can prevent a public signing * key from being used encrypt data, or prevent a public key from being used with * an encryption algorithm that is not supported by AWS KMS. You can also avoid * errors, such as using the wrong signing algorithm in a verification * operation.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void GetPublicKeyAsync(const Model::GetPublicKeyRequest& request, const GetPublicKeyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Imports key material into an existing symmetric AWS KMS customer master key * (CMK) that was created without key material. After you successfully import key * material into a CMK, you can reimport * the same key material into that CMK, but you cannot import different key * material.

You cannot perform this operation on an asymmetric CMK or on * any CMK in a different AWS account. For more information about creating CMKs * with no key material and then importing key material, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

Before using this operation, call GetParametersForImport. Its response * includes a public key and an import token. Use the public key to encrypt the key * material. Then, submit the import token from the same * GetParametersForImport response.

When calling this * operation, you must specify the following values:

  • The key ID or * key ARN of a CMK with no key material. Its Origin must be * EXTERNAL.

    To create a CMK with no key material, call * CreateKey and set the value of its Origin parameter to * EXTERNAL. To get the Origin of a CMK, call * DescribeKey.)

  • The encrypted key material. To get the * public key to encrypt the key material, call GetParametersForImport.

    *

  • The import token that GetParametersForImport returned. You * must use a public key and token from the same * GetParametersForImport response.

  • Whether the key * material expires and if so, when. If you set an expiration date, AWS KMS deletes * the key material from the CMK on the specified date, and the CMK becomes * unusable. To use the CMK again, you must reimport the same key material. The * only way to change an expiration date is by reimporting the same key material * and specifying a new expiration date.

When this operation is * successful, the key state of the CMK changes from PendingImport to * Enabled, and you can use the CMK.

If this operation fails, * use the exception to help determine the problem. If the error is related to the * key material, the import token, or wrapping key, use * GetParametersForImport to get a new public key and import token for the * CMK and repeat the import procedure. For help, see How * To Import Key Material in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::ImportKeyMaterialOutcome ImportKeyMaterial(const Model::ImportKeyMaterialRequest& request) const; /** *

Imports key material into an existing symmetric AWS KMS customer master key * (CMK) that was created without key material. After you successfully import key * material into a CMK, you can reimport * the same key material into that CMK, but you cannot import different key * material.

You cannot perform this operation on an asymmetric CMK or on * any CMK in a different AWS account. For more information about creating CMKs * with no key material and then importing key material, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

Before using this operation, call GetParametersForImport. Its response * includes a public key and an import token. Use the public key to encrypt the key * material. Then, submit the import token from the same * GetParametersForImport response.

When calling this * operation, you must specify the following values:

  • The key ID or * key ARN of a CMK with no key material. Its Origin must be * EXTERNAL.

    To create a CMK with no key material, call * CreateKey and set the value of its Origin parameter to * EXTERNAL. To get the Origin of a CMK, call * DescribeKey.)

  • The encrypted key material. To get the * public key to encrypt the key material, call GetParametersForImport.

    *

  • The import token that GetParametersForImport returned. You * must use a public key and token from the same * GetParametersForImport response.

  • Whether the key * material expires and if so, when. If you set an expiration date, AWS KMS deletes * the key material from the CMK on the specified date, and the CMK becomes * unusable. To use the CMK again, you must reimport the same key material. The * only way to change an expiration date is by reimporting the same key material * and specifying a new expiration date.

When this operation is * successful, the key state of the CMK changes from PendingImport to * Enabled, and you can use the CMK.

If this operation fails, * use the exception to help determine the problem. If the error is related to the * key material, the import token, or wrapping key, use * GetParametersForImport to get a new public key and import token for the * CMK and repeat the import procedure. For help, see How * To Import Key Material in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ImportKeyMaterialOutcomeCallable ImportKeyMaterialCallable(const Model::ImportKeyMaterialRequest& request) const; /** *

Imports key material into an existing symmetric AWS KMS customer master key * (CMK) that was created without key material. After you successfully import key * material into a CMK, you can reimport * the same key material into that CMK, but you cannot import different key * material.

You cannot perform this operation on an asymmetric CMK or on * any CMK in a different AWS account. For more information about creating CMKs * with no key material and then importing key material, see Importing * Key Material in the AWS Key Management Service Developer Guide.

*

Before using this operation, call GetParametersForImport. Its response * includes a public key and an import token. Use the public key to encrypt the key * material. Then, submit the import token from the same * GetParametersForImport response.

When calling this * operation, you must specify the following values:

  • The key ID or * key ARN of a CMK with no key material. Its Origin must be * EXTERNAL.

    To create a CMK with no key material, call * CreateKey and set the value of its Origin parameter to * EXTERNAL. To get the Origin of a CMK, call * DescribeKey.)

  • The encrypted key material. To get the * public key to encrypt the key material, call GetParametersForImport.

    *

  • The import token that GetParametersForImport returned. You * must use a public key and token from the same * GetParametersForImport response.

  • Whether the key * material expires and if so, when. If you set an expiration date, AWS KMS deletes * the key material from the CMK on the specified date, and the CMK becomes * unusable. To use the CMK again, you must reimport the same key material. The * only way to change an expiration date is by reimporting the same key material * and specifying a new expiration date.

When this operation is * successful, the key state of the CMK changes from PendingImport to * Enabled, and you can use the CMK.

If this operation fails, * use the exception to help determine the problem. If the error is related to the * key material, the import token, or wrapping key, use * GetParametersForImport to get a new public key and import token for the * CMK and repeat the import procedure. For help, see How * To Import Key Material in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ImportKeyMaterialAsync(const Model::ImportKeyMaterialRequest& request, const ImportKeyMaterialResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets a list of aliases in the caller's AWS account and region. You cannot * list aliases in other accounts. For more information about aliases, see * CreateAlias.

By default, the ListAliases command returns all * aliases in the account and region. To get only the aliases that point to a * particular customer master key (CMK), use the KeyId parameter.

*

The ListAliases response can include aliases that you created * and associated with your customer managed CMKs, and aliases that AWS created and * associated with AWS managed CMKs in your account. You can recognize AWS aliases * because their names have the format aws/<service-name>, such * as aws/dynamodb.

The response might also include aliases * that have no TargetKeyId field. These are predefined aliases that * AWS has created but has not yet associated with a CMK. Aliases that AWS creates * in your account, including predefined aliases, do not count against your AWS * KMS aliases quota.

See Also:

AWS API * Reference

*/ virtual Model::ListAliasesOutcome ListAliases(const Model::ListAliasesRequest& request) const; /** *

Gets a list of aliases in the caller's AWS account and region. You cannot * list aliases in other accounts. For more information about aliases, see * CreateAlias.

By default, the ListAliases command returns all * aliases in the account and region. To get only the aliases that point to a * particular customer master key (CMK), use the KeyId parameter.

*

The ListAliases response can include aliases that you created * and associated with your customer managed CMKs, and aliases that AWS created and * associated with AWS managed CMKs in your account. You can recognize AWS aliases * because their names have the format aws/<service-name>, such * as aws/dynamodb.

The response might also include aliases * that have no TargetKeyId field. These are predefined aliases that * AWS has created but has not yet associated with a CMK. Aliases that AWS creates * in your account, including predefined aliases, do not count against your AWS * KMS aliases quota.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListAliasesOutcomeCallable ListAliasesCallable(const Model::ListAliasesRequest& request) const; /** *

Gets a list of aliases in the caller's AWS account and region. You cannot * list aliases in other accounts. For more information about aliases, see * CreateAlias.

By default, the ListAliases command returns all * aliases in the account and region. To get only the aliases that point to a * particular customer master key (CMK), use the KeyId parameter.

*

The ListAliases response can include aliases that you created * and associated with your customer managed CMKs, and aliases that AWS created and * associated with AWS managed CMKs in your account. You can recognize AWS aliases * because their names have the format aws/<service-name>, such * as aws/dynamodb.

The response might also include aliases * that have no TargetKeyId field. These are predefined aliases that * AWS has created but has not yet associated with a CMK. Aliases that AWS creates * in your account, including predefined aliases, do not count against your AWS * KMS aliases quota.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListAliasesAsync(const Model::ListAliasesRequest& request, const ListAliasesResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets a list of all grants for the specified customer master key (CMK).

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN in the value of the KeyId parameter.

The * GranteePrincipal field in the ListGrants response * usually contains the user or role designated as the grantee principal in the * grant. However, when the grantee principal in the grant is an AWS service, the * GranteePrincipal field contains the service * principal, which might represent several different grantee principals.

*

See Also:

AWS API * Reference

*/ virtual Model::ListGrantsOutcome ListGrants(const Model::ListGrantsRequest& request) const; /** *

Gets a list of all grants for the specified customer master key (CMK).

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN in the value of the KeyId parameter.

The * GranteePrincipal field in the ListGrants response * usually contains the user or role designated as the grantee principal in the * grant. However, when the grantee principal in the grant is an AWS service, the * GranteePrincipal field contains the service * principal, which might represent several different grantee principals.

*

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListGrantsOutcomeCallable ListGrantsCallable(const Model::ListGrantsRequest& request) const; /** *

Gets a list of all grants for the specified customer master key (CMK).

*

To perform this operation on a CMK in a different AWS account, specify the * key ARN in the value of the KeyId parameter.

The * GranteePrincipal field in the ListGrants response * usually contains the user or role designated as the grantee principal in the * grant. However, when the grantee principal in the grant is an AWS service, the * GranteePrincipal field contains the service * principal, which might represent several different grantee principals.

*

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListGrantsAsync(const Model::ListGrantsRequest& request, const ListGrantsResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets the names of the key policies that are attached to a customer master key * (CMK). This operation is designed to get policy names that you can use in a * GetKeyPolicy operation. However, the only valid policy name is * default. You cannot perform this operation on a CMK in a different * AWS account.

See Also:

AWS * API Reference

*/ virtual Model::ListKeyPoliciesOutcome ListKeyPolicies(const Model::ListKeyPoliciesRequest& request) const; /** *

Gets the names of the key policies that are attached to a customer master key * (CMK). This operation is designed to get policy names that you can use in a * GetKeyPolicy operation. However, the only valid policy name is * default. You cannot perform this operation on a CMK in a different * AWS account.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListKeyPoliciesOutcomeCallable ListKeyPoliciesCallable(const Model::ListKeyPoliciesRequest& request) const; /** *

Gets the names of the key policies that are attached to a customer master key * (CMK). This operation is designed to get policy names that you can use in a * GetKeyPolicy operation. However, the only valid policy name is * default. You cannot perform this operation on a CMK in a different * AWS account.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListKeyPoliciesAsync(const Model::ListKeyPoliciesRequest& request, const ListKeyPoliciesResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Gets a list of all customer master keys (CMKs) in the caller's AWS account * and Region.

See Also:

AWS API * Reference

*/ virtual Model::ListKeysOutcome ListKeys(const Model::ListKeysRequest& request) const; /** *

Gets a list of all customer master keys (CMKs) in the caller's AWS account * and Region.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListKeysOutcomeCallable ListKeysCallable(const Model::ListKeysRequest& request) const; /** *

Gets a list of all customer master keys (CMKs) in the caller's AWS account * and Region.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListKeysAsync(const Model::ListKeysRequest& request, const ListKeysResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Returns a list of all tags for the specified customer master key (CMK).

*

You cannot perform this operation on a CMK in a different AWS * account.

See Also:

AWS * API Reference

*/ virtual Model::ListResourceTagsOutcome ListResourceTags(const Model::ListResourceTagsRequest& request) const; /** *

Returns a list of all tags for the specified customer master key (CMK).

*

You cannot perform this operation on a CMK in a different AWS * account.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListResourceTagsOutcomeCallable ListResourceTagsCallable(const Model::ListResourceTagsRequest& request) const; /** *

Returns a list of all tags for the specified customer master key (CMK).

*

You cannot perform this operation on a CMK in a different AWS * account.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListResourceTagsAsync(const Model::ListResourceTagsRequest& request, const ListResourceTagsResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Returns a list of all grants for which the grant's * RetiringPrincipal matches the one specified.

A typical use * is to list all grants that you are able to retire. To retire a grant, use * RetireGrant.

See Also:

AWS * API Reference

*/ virtual Model::ListRetirableGrantsOutcome ListRetirableGrants(const Model::ListRetirableGrantsRequest& request) const; /** *

Returns a list of all grants for which the grant's * RetiringPrincipal matches the one specified.

A typical use * is to list all grants that you are able to retire. To retire a grant, use * RetireGrant.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ListRetirableGrantsOutcomeCallable ListRetirableGrantsCallable(const Model::ListRetirableGrantsRequest& request) const; /** *

Returns a list of all grants for which the grant's * RetiringPrincipal matches the one specified.

A typical use * is to list all grants that you are able to retire. To retire a grant, use * RetireGrant.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ListRetirableGrantsAsync(const Model::ListRetirableGrantsRequest& request, const ListRetirableGrantsResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Attaches a key policy to the specified customer master key (CMK). You cannot * perform this operation on a CMK in a different AWS account.

For more * information about key policies, see Key * Policies in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

*/ virtual Model::PutKeyPolicyOutcome PutKeyPolicy(const Model::PutKeyPolicyRequest& request) const; /** *

Attaches a key policy to the specified customer master key (CMK). You cannot * perform this operation on a CMK in a different AWS account.

For more * information about key policies, see Key * Policies in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::PutKeyPolicyOutcomeCallable PutKeyPolicyCallable(const Model::PutKeyPolicyRequest& request) const; /** *

Attaches a key policy to the specified customer master key (CMK). You cannot * perform this operation on a CMK in a different AWS account.

For more * information about key policies, see Key * Policies in the AWS Key Management Service Developer * Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void PutKeyPolicyAsync(const Model::PutKeyPolicyRequest& request, const PutKeyPolicyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can * use this operation to change the customer master key (CMK) under which data is * encrypted, such as when you manually * rotate a CMK or change the CMK that protects a ciphertext. You can also use * it to reencrypt ciphertext under the same CMK, such as to change the encryption * context of a ciphertext.

The ReEncrypt operation can * decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS KMS * operation, such as Encrypt or GenerateDataKey. It can also decrypt * ciphertext that was encrypted by using the public key of an asymmetric * CMK outside of AWS KMS. However, it cannot decrypt ciphertext produced by * other libraries, such as the AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

When you use the ReEncrypt * operation, you need to provide information for the decrypt operation and the * subsequent encrypt operation.

  • If your ciphertext was encrypted * under an asymmetric CMK, you must identify the source CMK, that is, the * CMK that encrypted the ciphertext. You must also supply the encryption algorithm * that was used. This information is required to decrypt the data.

  • *

    It is optional, but you can specify a source CMK even when the ciphertext was * encrypted under a symmetric CMK. This ensures that the ciphertext is decrypted * only by using a particular CMK. If the CMK that you specify cannot decrypt the * ciphertext, the ReEncrypt operation fails.

  • To * reencrypt the data, you must specify the destination CMK, that is, the * CMK that re-encrypts the data after it is decrypted. You can select a symmetric * or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also * provide the encryption algorithm. The algorithm that you choose must be * compatible with the CMK.

    When you use an asymmetric CMK to * encrypt or reencrypt data, be sure to record the CMK and encryption algorithm * that you choose. You will be required to provide the same CMK and encryption * algorithm when you decrypt the data. If the CMK and algorithm do not match the * values used to encrypt the data, the decrypt operation fails.

    You are not * required to supply the CMK ID and encryption algorithm when you decrypt with * symmetric CMKs because AWS KMS stores this information in the ciphertext blob. * AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The * standard format for asymmetric key ciphertext does not include configurable * fields.

Unlike other AWS KMS API operations, * ReEncrypt callers must have two permissions:

  • * kms:ReEncryptFrom permission on the source CMK

  • * kms:ReEncryptTo permission on the destination CMK

*

To permit reencryption from or to a CMK, include the * "kms:ReEncrypt*" permission in your key * policy. This permission is automatically included in the key policy when you * use the console to create a CMK. But you must include it manually when you * create a CMK programmatically or when you use the PutKeyPolicy operation * to set a key policy.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::ReEncryptOutcome ReEncrypt(const Model::ReEncryptRequest& request) const; /** *

Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can * use this operation to change the customer master key (CMK) under which data is * encrypted, such as when you manually * rotate a CMK or change the CMK that protects a ciphertext. You can also use * it to reencrypt ciphertext under the same CMK, such as to change the encryption * context of a ciphertext.

The ReEncrypt operation can * decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS KMS * operation, such as Encrypt or GenerateDataKey. It can also decrypt * ciphertext that was encrypted by using the public key of an asymmetric * CMK outside of AWS KMS. However, it cannot decrypt ciphertext produced by * other libraries, such as the AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

When you use the ReEncrypt * operation, you need to provide information for the decrypt operation and the * subsequent encrypt operation.

  • If your ciphertext was encrypted * under an asymmetric CMK, you must identify the source CMK, that is, the * CMK that encrypted the ciphertext. You must also supply the encryption algorithm * that was used. This information is required to decrypt the data.

  • *

    It is optional, but you can specify a source CMK even when the ciphertext was * encrypted under a symmetric CMK. This ensures that the ciphertext is decrypted * only by using a particular CMK. If the CMK that you specify cannot decrypt the * ciphertext, the ReEncrypt operation fails.

  • To * reencrypt the data, you must specify the destination CMK, that is, the * CMK that re-encrypts the data after it is decrypted. You can select a symmetric * or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also * provide the encryption algorithm. The algorithm that you choose must be * compatible with the CMK.

    When you use an asymmetric CMK to * encrypt or reencrypt data, be sure to record the CMK and encryption algorithm * that you choose. You will be required to provide the same CMK and encryption * algorithm when you decrypt the data. If the CMK and algorithm do not match the * values used to encrypt the data, the decrypt operation fails.

    You are not * required to supply the CMK ID and encryption algorithm when you decrypt with * symmetric CMKs because AWS KMS stores this information in the ciphertext blob. * AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The * standard format for asymmetric key ciphertext does not include configurable * fields.

Unlike other AWS KMS API operations, * ReEncrypt callers must have two permissions:

  • * kms:ReEncryptFrom permission on the source CMK

  • * kms:ReEncryptTo permission on the destination CMK

*

To permit reencryption from or to a CMK, include the * "kms:ReEncrypt*" permission in your key * policy. This permission is automatically included in the key policy when you * use the console to create a CMK. But you must include it manually when you * create a CMK programmatically or when you use the PutKeyPolicy operation * to set a key policy.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ReEncryptOutcomeCallable ReEncryptCallable(const Model::ReEncryptRequest& request) const; /** *

Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can * use this operation to change the customer master key (CMK) under which data is * encrypted, such as when you manually * rotate a CMK or change the CMK that protects a ciphertext. You can also use * it to reencrypt ciphertext under the same CMK, such as to change the encryption * context of a ciphertext.

The ReEncrypt operation can * decrypt ciphertext that was encrypted by using an AWS KMS CMK in an AWS KMS * operation, such as Encrypt or GenerateDataKey. It can also decrypt * ciphertext that was encrypted by using the public key of an asymmetric * CMK outside of AWS KMS. However, it cannot decrypt ciphertext produced by * other libraries, such as the AWS * Encryption SDK or Amazon * S3 client-side encryption. These libraries return a ciphertext format that * is incompatible with AWS KMS.

When you use the ReEncrypt * operation, you need to provide information for the decrypt operation and the * subsequent encrypt operation.

  • If your ciphertext was encrypted * under an asymmetric CMK, you must identify the source CMK, that is, the * CMK that encrypted the ciphertext. You must also supply the encryption algorithm * that was used. This information is required to decrypt the data.

  • *

    It is optional, but you can specify a source CMK even when the ciphertext was * encrypted under a symmetric CMK. This ensures that the ciphertext is decrypted * only by using a particular CMK. If the CMK that you specify cannot decrypt the * ciphertext, the ReEncrypt operation fails.

  • To * reencrypt the data, you must specify the destination CMK, that is, the * CMK that re-encrypts the data after it is decrypted. You can select a symmetric * or asymmetric CMK. If the destination CMK is an asymmetric CMK, you must also * provide the encryption algorithm. The algorithm that you choose must be * compatible with the CMK.

    When you use an asymmetric CMK to * encrypt or reencrypt data, be sure to record the CMK and encryption algorithm * that you choose. You will be required to provide the same CMK and encryption * algorithm when you decrypt the data. If the CMK and algorithm do not match the * values used to encrypt the data, the decrypt operation fails.

    You are not * required to supply the CMK ID and encryption algorithm when you decrypt with * symmetric CMKs because AWS KMS stores this information in the ciphertext blob. * AWS KMS cannot store metadata in ciphertext generated with asymmetric keys. The * standard format for asymmetric key ciphertext does not include configurable * fields.

Unlike other AWS KMS API operations, * ReEncrypt callers must have two permissions:

  • * kms:ReEncryptFrom permission on the source CMK

  • * kms:ReEncryptTo permission on the destination CMK

*

To permit reencryption from or to a CMK, include the * "kms:ReEncrypt*" permission in your key * policy. This permission is automatically included in the key policy when you * use the console to create a CMK. But you must include it manually when you * create a CMK programmatically or when you use the PutKeyPolicy operation * to set a key policy.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ReEncryptAsync(const Model::ReEncryptRequest& request, const ReEncryptResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Retires a grant. To clean up, you can retire a grant when you're done using * it. You should revoke a grant when you intend to actively deny operations that * depend on it. The following are permitted to call this API:

  • The * AWS account (root user) under which the grant was created

  • The * RetiringPrincipal, if present in the grant

  • The * GranteePrincipal, if RetireGrant is an operation * specified in the grant

You must identify the grant to retire * by its grant token or by a combination of the grant ID and the Amazon Resource * Name (ARN) of the customer master key (CMK). A grant token is a unique * variable-length base64-encoded string. A grant ID is a 64 character unique * identifier of a grant. The CreateGrant operation returns * both.

See Also:

AWS API * Reference

*/ virtual Model::RetireGrantOutcome RetireGrant(const Model::RetireGrantRequest& request) const; /** *

Retires a grant. To clean up, you can retire a grant when you're done using * it. You should revoke a grant when you intend to actively deny operations that * depend on it. The following are permitted to call this API:

  • The * AWS account (root user) under which the grant was created

  • The * RetiringPrincipal, if present in the grant

  • The * GranteePrincipal, if RetireGrant is an operation * specified in the grant

You must identify the grant to retire * by its grant token or by a combination of the grant ID and the Amazon Resource * Name (ARN) of the customer master key (CMK). A grant token is a unique * variable-length base64-encoded string. A grant ID is a 64 character unique * identifier of a grant. The CreateGrant operation returns * both.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::RetireGrantOutcomeCallable RetireGrantCallable(const Model::RetireGrantRequest& request) const; /** *

Retires a grant. To clean up, you can retire a grant when you're done using * it. You should revoke a grant when you intend to actively deny operations that * depend on it. The following are permitted to call this API:

  • The * AWS account (root user) under which the grant was created

  • The * RetiringPrincipal, if present in the grant

  • The * GranteePrincipal, if RetireGrant is an operation * specified in the grant

You must identify the grant to retire * by its grant token or by a combination of the grant ID and the Amazon Resource * Name (ARN) of the customer master key (CMK). A grant token is a unique * variable-length base64-encoded string. A grant ID is a 64 character unique * identifier of a grant. The CreateGrant operation returns * both.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void RetireGrantAsync(const Model::RetireGrantRequest& request, const RetireGrantResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Revokes the specified grant for the specified customer master key (CMK). You * can revoke a grant to actively deny operations that depend on it.

To * perform this operation on a CMK in a different AWS account, specify the key ARN * in the value of the KeyId parameter.

See Also:

AWS API * Reference

*/ virtual Model::RevokeGrantOutcome RevokeGrant(const Model::RevokeGrantRequest& request) const; /** *

Revokes the specified grant for the specified customer master key (CMK). You * can revoke a grant to actively deny operations that depend on it.

To * perform this operation on a CMK in a different AWS account, specify the key ARN * in the value of the KeyId parameter.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::RevokeGrantOutcomeCallable RevokeGrantCallable(const Model::RevokeGrantRequest& request) const; /** *

Revokes the specified grant for the specified customer master key (CMK). You * can revoke a grant to actively deny operations that depend on it.

To * perform this operation on a CMK in a different AWS account, specify the key ARN * in the value of the KeyId parameter.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void RevokeGrantAsync(const Model::RevokeGrantRequest& request, const RevokeGrantResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Schedules the deletion of a customer master key (CMK). You may provide a * waiting period, specified in days, before deletion occurs. If you do not provide * a waiting period, the default period of 30 days is used. When this operation is * successful, the key state of the CMK changes to PendingDeletion. * Before the waiting period ends, you can use CancelKeyDeletion to cancel * the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK * and all AWS KMS data associated with it, including all aliases that refer to * it.

Deleting a CMK is a destructive and potentially dangerous * operation. When a CMK is deleted, all data that was encrypted under the CMK is * unrecoverable. To prevent the use of a CMK without deleting it, use * DisableKey.

If you schedule deletion of a CMK from a * custom * key store, when the waiting period expires, ScheduleKeyDeletion * deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key * material from the associated AWS CloudHSM cluster. However, you might need to * manually delete * the orphaned key material from the cluster and its backups.

You * cannot perform this operation on a CMK in a different AWS account.

For * more information about scheduling a CMK for deletion, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::ScheduleKeyDeletionOutcome ScheduleKeyDeletion(const Model::ScheduleKeyDeletionRequest& request) const; /** *

Schedules the deletion of a customer master key (CMK). You may provide a * waiting period, specified in days, before deletion occurs. If you do not provide * a waiting period, the default period of 30 days is used. When this operation is * successful, the key state of the CMK changes to PendingDeletion. * Before the waiting period ends, you can use CancelKeyDeletion to cancel * the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK * and all AWS KMS data associated with it, including all aliases that refer to * it.

Deleting a CMK is a destructive and potentially dangerous * operation. When a CMK is deleted, all data that was encrypted under the CMK is * unrecoverable. To prevent the use of a CMK without deleting it, use * DisableKey.

If you schedule deletion of a CMK from a * custom * key store, when the waiting period expires, ScheduleKeyDeletion * deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key * material from the associated AWS CloudHSM cluster. However, you might need to * manually delete * the orphaned key material from the cluster and its backups.

You * cannot perform this operation on a CMK in a different AWS account.

For * more information about scheduling a CMK for deletion, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::ScheduleKeyDeletionOutcomeCallable ScheduleKeyDeletionCallable(const Model::ScheduleKeyDeletionRequest& request) const; /** *

Schedules the deletion of a customer master key (CMK). You may provide a * waiting period, specified in days, before deletion occurs. If you do not provide * a waiting period, the default period of 30 days is used. When this operation is * successful, the key state of the CMK changes to PendingDeletion. * Before the waiting period ends, you can use CancelKeyDeletion to cancel * the deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK * and all AWS KMS data associated with it, including all aliases that refer to * it.

Deleting a CMK is a destructive and potentially dangerous * operation. When a CMK is deleted, all data that was encrypted under the CMK is * unrecoverable. To prevent the use of a CMK without deleting it, use * DisableKey.

If you schedule deletion of a CMK from a * custom * key store, when the waiting period expires, ScheduleKeyDeletion * deletes the CMK from AWS KMS. Then AWS KMS makes a best effort to delete the key * material from the associated AWS CloudHSM cluster. However, you might need to * manually delete * the orphaned key material from the cluster and its backups.

You * cannot perform this operation on a CMK in a different AWS account.

For * more information about scheduling a CMK for deletion, see Deleting * Customer Master Keys in the AWS Key Management Service Developer * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void ScheduleKeyDeletionAsync(const Model::ScheduleKeyDeletionRequest& request, const ScheduleKeyDeletionResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Creates a digital * signature for a message or message digest by using the private key in an * asymmetric CMK. To verify the signature, use the Verify operation, or use * the public key in the same asymmetric CMK outside of AWS KMS. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

Digital signatures are generated and verified by using * asymmetric key pair, such as an RSA or ECC pair that is represented by an * asymmetric customer master key (CMK). The key owner (or an authorized user) uses * their private key to sign a message. Anyone with the public key can verify that * the message was signed with that particular private key and that the message * hasn't changed since it was signed.

To use the Sign * operation, provide the following information:

  • Use the * KeyId parameter to identify an asymmetric CMK with a * KeyUsage value of SIGN_VERIFY. To get the * KeyUsage value of a CMK, use the DescribeKey operation. The * caller must have kms:Sign permission on the CMK.

  • *

    Use the Message parameter to specify the message or message * digest to sign. You can submit messages of up to 4096 bytes. To sign a larger * message, generate a hash digest of the message, and then provide the hash digest * in the Message parameter. To indicate whether the message is a full * message or a digest, use the MessageType parameter.

  • *

    Choose a signing algorithm that is compatible with the CMK.

*

When signing a message, be sure to record the CMK and the signing * algorithm. This information is required to verify the signature.

*

To verify the signature that this operation generates, use the * Verify operation. Or use the GetPublicKey operation to download * the public key and then use the public key to verify the signature outside of * AWS KMS.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::SignOutcome Sign(const Model::SignRequest& request) const; /** *

Creates a digital * signature for a message or message digest by using the private key in an * asymmetric CMK. To verify the signature, use the Verify operation, or use * the public key in the same asymmetric CMK outside of AWS KMS. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

Digital signatures are generated and verified by using * asymmetric key pair, such as an RSA or ECC pair that is represented by an * asymmetric customer master key (CMK). The key owner (or an authorized user) uses * their private key to sign a message. Anyone with the public key can verify that * the message was signed with that particular private key and that the message * hasn't changed since it was signed.

To use the Sign * operation, provide the following information:

  • Use the * KeyId parameter to identify an asymmetric CMK with a * KeyUsage value of SIGN_VERIFY. To get the * KeyUsage value of a CMK, use the DescribeKey operation. The * caller must have kms:Sign permission on the CMK.

  • *

    Use the Message parameter to specify the message or message * digest to sign. You can submit messages of up to 4096 bytes. To sign a larger * message, generate a hash digest of the message, and then provide the hash digest * in the Message parameter. To indicate whether the message is a full * message or a digest, use the MessageType parameter.

  • *

    Choose a signing algorithm that is compatible with the CMK.

*

When signing a message, be sure to record the CMK and the signing * algorithm. This information is required to verify the signature.

*

To verify the signature that this operation generates, use the * Verify operation. Or use the GetPublicKey operation to download * the public key and then use the public key to verify the signature outside of * AWS KMS.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::SignOutcomeCallable SignCallable(const Model::SignRequest& request) const; /** *

Creates a digital * signature for a message or message digest by using the private key in an * asymmetric CMK. To verify the signature, use the Verify operation, or use * the public key in the same asymmetric CMK outside of AWS KMS. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

Digital signatures are generated and verified by using * asymmetric key pair, such as an RSA or ECC pair that is represented by an * asymmetric customer master key (CMK). The key owner (or an authorized user) uses * their private key to sign a message. Anyone with the public key can verify that * the message was signed with that particular private key and that the message * hasn't changed since it was signed.

To use the Sign * operation, provide the following information:

  • Use the * KeyId parameter to identify an asymmetric CMK with a * KeyUsage value of SIGN_VERIFY. To get the * KeyUsage value of a CMK, use the DescribeKey operation. The * caller must have kms:Sign permission on the CMK.

  • *

    Use the Message parameter to specify the message or message * digest to sign. You can submit messages of up to 4096 bytes. To sign a larger * message, generate a hash digest of the message, and then provide the hash digest * in the Message parameter. To indicate whether the message is a full * message or a digest, use the MessageType parameter.

  • *

    Choose a signing algorithm that is compatible with the CMK.

*

When signing a message, be sure to record the CMK and the signing * algorithm. This information is required to verify the signature.

*

To verify the signature that this operation generates, use the * Verify operation. Or use the GetPublicKey operation to download * the public key and then use the public key to verify the signature outside of * AWS KMS.

The CMK that you use for this operation must be in a compatible * key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void SignAsync(const Model::SignRequest& request, const SignResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Adds or edits tags for a customer master key (CMK). You cannot perform this * operation on a CMK in a different AWS account.

Each tag consists of a tag * key and a tag value. Tag keys and tag values are both required, but tag values * can be empty (null) strings.

You can only use a tag key once for each * CMK. If you use the tag key again, AWS KMS replaces the current tag value with * the specified value.

For information about the rules that apply to tag * keys and tag values, see User-Defined * Tag Restrictions in the AWS Billing and Cost Management User * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::TagResourceOutcome TagResource(const Model::TagResourceRequest& request) const; /** *

Adds or edits tags for a customer master key (CMK). You cannot perform this * operation on a CMK in a different AWS account.

Each tag consists of a tag * key and a tag value. Tag keys and tag values are both required, but tag values * can be empty (null) strings.

You can only use a tag key once for each * CMK. If you use the tag key again, AWS KMS replaces the current tag value with * the specified value.

For information about the rules that apply to tag * keys and tag values, see User-Defined * Tag Restrictions in the AWS Billing and Cost Management User * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::TagResourceOutcomeCallable TagResourceCallable(const Model::TagResourceRequest& request) const; /** *

Adds or edits tags for a customer master key (CMK). You cannot perform this * operation on a CMK in a different AWS account.

Each tag consists of a tag * key and a tag value. Tag keys and tag values are both required, but tag values * can be empty (null) strings.

You can only use a tag key once for each * CMK. If you use the tag key again, AWS KMS replaces the current tag value with * the specified value.

For information about the rules that apply to tag * keys and tag values, see User-Defined * Tag Restrictions in the AWS Billing and Cost Management User * Guide.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void TagResourceAsync(const Model::TagResourceRequest& request, const TagResourceResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Removes the specified tags from the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

To * remove a tag, specify the tag key. To change the tag value of an existing tag * key, use TagResource.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::UntagResourceOutcome UntagResource(const Model::UntagResourceRequest& request) const; /** *

Removes the specified tags from the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

To * remove a tag, specify the tag key. To change the tag value of an existing tag * key, use TagResource.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UntagResourceOutcomeCallable UntagResourceCallable(const Model::UntagResourceRequest& request) const; /** *

Removes the specified tags from the specified customer master key (CMK). You * cannot perform this operation on a CMK in a different AWS account.

To * remove a tag, specify the tag key. To change the tag value of an existing tag * key, use TagResource.

The CMK that you use for this operation must * be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UntagResourceAsync(const Model::UntagResourceRequest& request, const UntagResourceResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Associates an existing AWS KMS alias with a different customer master key * (CMK). Each alias is associated with only one CMK at a time, although a CMK can * have multiple aliases. The alias and the CMK must be in the same AWS account and * region. You cannot perform this operation on an alias in a different AWS * account.

The current and new CMK must be the same type (both symmetric * or both asymmetric), and they must have the same key usage * (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction * prevents errors in code that uses aliases. If you must assign an alias to a * different type of CMK, use DeleteAlias to delete the old alias and * CreateAlias to create a new alias.

You cannot use * UpdateAlias to change an alias name. To change an alias name, use * DeleteAlias to delete the old alias and CreateAlias to create a * new alias.

Because an alias is not a property of a CMK, you can create, * update, and delete the aliases of a CMK without affecting the CMK. Also, aliases * do not appear in the response from the DescribeKey operation. To get the * aliases of all CMKs in the account, use the ListAliases operation.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::UpdateAliasOutcome UpdateAlias(const Model::UpdateAliasRequest& request) const; /** *

Associates an existing AWS KMS alias with a different customer master key * (CMK). Each alias is associated with only one CMK at a time, although a CMK can * have multiple aliases. The alias and the CMK must be in the same AWS account and * region. You cannot perform this operation on an alias in a different AWS * account.

The current and new CMK must be the same type (both symmetric * or both asymmetric), and they must have the same key usage * (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction * prevents errors in code that uses aliases. If you must assign an alias to a * different type of CMK, use DeleteAlias to delete the old alias and * CreateAlias to create a new alias.

You cannot use * UpdateAlias to change an alias name. To change an alias name, use * DeleteAlias to delete the old alias and CreateAlias to create a * new alias.

Because an alias is not a property of a CMK, you can create, * update, and delete the aliases of a CMK without affecting the CMK. Also, aliases * do not appear in the response from the DescribeKey operation. To get the * aliases of all CMKs in the account, use the ListAliases operation.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UpdateAliasOutcomeCallable UpdateAliasCallable(const Model::UpdateAliasRequest& request) const; /** *

Associates an existing AWS KMS alias with a different customer master key * (CMK). Each alias is associated with only one CMK at a time, although a CMK can * have multiple aliases. The alias and the CMK must be in the same AWS account and * region. You cannot perform this operation on an alias in a different AWS * account.

The current and new CMK must be the same type (both symmetric * or both asymmetric), and they must have the same key usage * (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction * prevents errors in code that uses aliases. If you must assign an alias to a * different type of CMK, use DeleteAlias to delete the old alias and * CreateAlias to create a new alias.

You cannot use * UpdateAlias to change an alias name. To change an alias name, use * DeleteAlias to delete the old alias and CreateAlias to create a * new alias.

Because an alias is not a property of a CMK, you can create, * update, and delete the aliases of a CMK without affecting the CMK. Also, aliases * do not appear in the response from the DescribeKey operation. To get the * aliases of all CMKs in the account, use the ListAliases operation.

*

The CMK that you use for this operation must be in a compatible key state. * For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UpdateAliasAsync(const Model::UpdateAliasRequest& request, const UpdateAliasResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Changes the properties of a custom key store. Use the * CustomKeyStoreId parameter to identify the custom key store you * want to edit. Use the remaining parameters to change the properties of the * custom key store.

You can only update a custom key store that is * disconnected. To disconnect the custom key store, use * DisconnectCustomKeyStore. To reconnect the custom key store after the * update completes, use ConnectCustomKeyStore. To find the connection state * of a custom key store, use the DescribeCustomKeyStores operation.

*

Use the parameters of UpdateCustomKeyStore to edit your keystore * settings.

  • Use the NewCustomKeyStoreName parameter to * change the friendly name of the custom key store to the value that you * specify.

  • Use the KeyStorePassword parameter * tell AWS KMS the current password of the * kmsuser crypto user (CU) in the associated AWS CloudHSM * cluster. You can use this parameter to fix * connection failures that occur when AWS KMS cannot log into the associated * cluster because the kmsuser password has changed. This value does * not change the password in the AWS CloudHSM cluster.

  • *

    Use the CloudHsmClusterId parameter to associate the custom key store * with a different, but related, AWS CloudHSM cluster. You can use this parameter * to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is * deleted, or when you need to create or restore a cluster from a backup.

    *

If the operation succeeds, it returns a JSON object with no * properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

*/ virtual Model::UpdateCustomKeyStoreOutcome UpdateCustomKeyStore(const Model::UpdateCustomKeyStoreRequest& request) const; /** *

Changes the properties of a custom key store. Use the * CustomKeyStoreId parameter to identify the custom key store you * want to edit. Use the remaining parameters to change the properties of the * custom key store.

You can only update a custom key store that is * disconnected. To disconnect the custom key store, use * DisconnectCustomKeyStore. To reconnect the custom key store after the * update completes, use ConnectCustomKeyStore. To find the connection state * of a custom key store, use the DescribeCustomKeyStores operation.

*

Use the parameters of UpdateCustomKeyStore to edit your keystore * settings.

  • Use the NewCustomKeyStoreName parameter to * change the friendly name of the custom key store to the value that you * specify.

  • Use the KeyStorePassword parameter * tell AWS KMS the current password of the * kmsuser crypto user (CU) in the associated AWS CloudHSM * cluster. You can use this parameter to fix * connection failures that occur when AWS KMS cannot log into the associated * cluster because the kmsuser password has changed. This value does * not change the password in the AWS CloudHSM cluster.

  • *

    Use the CloudHsmClusterId parameter to associate the custom key store * with a different, but related, AWS CloudHSM cluster. You can use this parameter * to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is * deleted, or when you need to create or restore a cluster from a backup.

    *

If the operation succeeds, it returns a JSON object with no * properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UpdateCustomKeyStoreOutcomeCallable UpdateCustomKeyStoreCallable(const Model::UpdateCustomKeyStoreRequest& request) const; /** *

Changes the properties of a custom key store. Use the * CustomKeyStoreId parameter to identify the custom key store you * want to edit. Use the remaining parameters to change the properties of the * custom key store.

You can only update a custom key store that is * disconnected. To disconnect the custom key store, use * DisconnectCustomKeyStore. To reconnect the custom key store after the * update completes, use ConnectCustomKeyStore. To find the connection state * of a custom key store, use the DescribeCustomKeyStores operation.

*

Use the parameters of UpdateCustomKeyStore to edit your keystore * settings.

  • Use the NewCustomKeyStoreName parameter to * change the friendly name of the custom key store to the value that you * specify.

  • Use the KeyStorePassword parameter * tell AWS KMS the current password of the * kmsuser crypto user (CU) in the associated AWS CloudHSM * cluster. You can use this parameter to fix * connection failures that occur when AWS KMS cannot log into the associated * cluster because the kmsuser password has changed. This value does * not change the password in the AWS CloudHSM cluster.

  • *

    Use the CloudHsmClusterId parameter to associate the custom key store * with a different, but related, AWS CloudHSM cluster. You can use this parameter * to repair a custom key store if its AWS CloudHSM cluster becomes corrupted or is * deleted, or when you need to create or restore a cluster from a backup.

    *

If the operation succeeds, it returns a JSON object with no * properties.

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UpdateCustomKeyStoreAsync(const Model::UpdateCustomKeyStoreRequest& request, const UpdateCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Updates the description of a customer master key (CMK). To see the * description of a CMK, use DescribeKey.

You cannot perform this * operation on a CMK in a different AWS account.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

*/ virtual Model::UpdateKeyDescriptionOutcome UpdateKeyDescription(const Model::UpdateKeyDescriptionRequest& request) const; /** *

Updates the description of a customer master key (CMK). To see the * description of a CMK, use DescribeKey.

You cannot perform this * operation on a CMK in a different AWS account.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::UpdateKeyDescriptionOutcomeCallable UpdateKeyDescriptionCallable(const Model::UpdateKeyDescriptionRequest& request) const; /** *

Updates the description of a customer master key (CMK). To see the * description of a CMK, use DescribeKey.

You cannot perform this * operation on a CMK in a different AWS account.

The CMK that you use for * this operation must be in a compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS * API Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void UpdateKeyDescriptionAsync(const Model::UpdateKeyDescriptionRequest& request, const UpdateKeyDescriptionResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; /** *

Verifies a digital signature that was generated by the Sign operation. *

Verification confirms that an authorized user signed the message * with the specified CMK and signing algorithm, and the message hasn't changed * since it was signed. If the signature is verified, the value of the * SignatureValid field in the response is True. If the * signature verification fails, the Verify operation fails with an * KMSInvalidSignatureException exception.

A digital signature * is generated by using the private key in an asymmetric CMK. The signature is * verified by using the public key in the same asymmetric CMK. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To verify a digital signature, you can use the * Verify operation. Specify the same asymmetric CMK, message, and * signing algorithm that were used to produce the signature.

You can also * verify the digital signature by using the public key of the CMK outside of AWS * KMS. Use the GetPublicKey operation to download the public key in the * asymmetric CMK and then use the public key to verify the signature outside of * AWS KMS. The advantage of using the Verify operation is that it is * performed within AWS KMS. As a result, it's easy to call, the operation is * performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can * use key policy and IAM policy to determine who is authorized to use the CMK to * verify signatures.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

*/ virtual Model::VerifyOutcome Verify(const Model::VerifyRequest& request) const; /** *

Verifies a digital signature that was generated by the Sign operation. *

Verification confirms that an authorized user signed the message * with the specified CMK and signing algorithm, and the message hasn't changed * since it was signed. If the signature is verified, the value of the * SignatureValid field in the response is True. If the * signature verification fails, the Verify operation fails with an * KMSInvalidSignatureException exception.

A digital signature * is generated by using the private key in an asymmetric CMK. The signature is * verified by using the public key in the same asymmetric CMK. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To verify a digital signature, you can use the * Verify operation. Specify the same asymmetric CMK, message, and * signing algorithm that were used to produce the signature.

You can also * verify the digital signature by using the public key of the CMK outside of AWS * KMS. Use the GetPublicKey operation to download the public key in the * asymmetric CMK and then use the public key to verify the signature outside of * AWS KMS. The advantage of using the Verify operation is that it is * performed within AWS KMS. As a result, it's easy to call, the operation is * performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can * use key policy and IAM policy to determine who is authorized to use the CMK to * verify signatures.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * returns a future to the operation so that it can be executed in parallel to other requests. */ virtual Model::VerifyOutcomeCallable VerifyCallable(const Model::VerifyRequest& request) const; /** *

Verifies a digital signature that was generated by the Sign operation. *

Verification confirms that an authorized user signed the message * with the specified CMK and signing algorithm, and the message hasn't changed * since it was signed. If the signature is verified, the value of the * SignatureValid field in the response is True. If the * signature verification fails, the Verify operation fails with an * KMSInvalidSignatureException exception.

A digital signature * is generated by using the private key in an asymmetric CMK. The signature is * verified by using the public key in the same asymmetric CMK. For information * about symmetric and asymmetric CMKs, see Using * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

To verify a digital signature, you can use the * Verify operation. Specify the same asymmetric CMK, message, and * signing algorithm that were used to produce the signature.

You can also * verify the digital signature by using the public key of the CMK outside of AWS * KMS. Use the GetPublicKey operation to download the public key in the * asymmetric CMK and then use the public key to verify the signature outside of * AWS KMS. The advantage of using the Verify operation is that it is * performed within AWS KMS. As a result, it's easy to call, the operation is * performed within the FIPS boundary, it is logged in AWS CloudTrail, and you can * use key policy and IAM policy to determine who is authorized to use the CMK to * verify signatures.

The CMK that you use for this operation must be in a * compatible key state. For details, see How * Key State Affects Use of a Customer Master Key in the AWS Key Management * Service Developer Guide.

See Also:

AWS API * Reference

* * Queues the request into a thread executor and triggers associated callback when operation has finished. */ virtual void VerifyAsync(const Model::VerifyRequest& request, const VerifyResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const; void OverrideEndpoint(const Aws::String& endpoint); private: void init(const Aws::Client::ClientConfiguration& clientConfiguration); void CancelKeyDeletionAsyncHelper(const Model::CancelKeyDeletionRequest& request, const CancelKeyDeletionResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ConnectCustomKeyStoreAsyncHelper(const Model::ConnectCustomKeyStoreRequest& request, const ConnectCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context) const; void CreateAliasAsyncHelper(const Model::CreateAliasRequest& request, const CreateAliasResponseReceivedHandler& handler, const std::shared_ptr& context) const; void CreateCustomKeyStoreAsyncHelper(const Model::CreateCustomKeyStoreRequest& request, const CreateCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context) const; void CreateGrantAsyncHelper(const Model::CreateGrantRequest& request, const CreateGrantResponseReceivedHandler& handler, const std::shared_ptr& context) const; void CreateKeyAsyncHelper(const Model::CreateKeyRequest& request, const CreateKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DecryptAsyncHelper(const Model::DecryptRequest& request, const DecryptResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DeleteAliasAsyncHelper(const Model::DeleteAliasRequest& request, const DeleteAliasResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DeleteCustomKeyStoreAsyncHelper(const Model::DeleteCustomKeyStoreRequest& request, const DeleteCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DeleteImportedKeyMaterialAsyncHelper(const Model::DeleteImportedKeyMaterialRequest& request, const DeleteImportedKeyMaterialResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DescribeCustomKeyStoresAsyncHelper(const Model::DescribeCustomKeyStoresRequest& request, const DescribeCustomKeyStoresResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DescribeKeyAsyncHelper(const Model::DescribeKeyRequest& request, const DescribeKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DisableKeyAsyncHelper(const Model::DisableKeyRequest& request, const DisableKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DisableKeyRotationAsyncHelper(const Model::DisableKeyRotationRequest& request, const DisableKeyRotationResponseReceivedHandler& handler, const std::shared_ptr& context) const; void DisconnectCustomKeyStoreAsyncHelper(const Model::DisconnectCustomKeyStoreRequest& request, const DisconnectCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context) const; void EnableKeyAsyncHelper(const Model::EnableKeyRequest& request, const EnableKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void EnableKeyRotationAsyncHelper(const Model::EnableKeyRotationRequest& request, const EnableKeyRotationResponseReceivedHandler& handler, const std::shared_ptr& context) const; void EncryptAsyncHelper(const Model::EncryptRequest& request, const EncryptResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GenerateDataKeyAsyncHelper(const Model::GenerateDataKeyRequest& request, const GenerateDataKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GenerateDataKeyPairAsyncHelper(const Model::GenerateDataKeyPairRequest& request, const GenerateDataKeyPairResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GenerateDataKeyPairWithoutPlaintextAsyncHelper(const Model::GenerateDataKeyPairWithoutPlaintextRequest& request, const GenerateDataKeyPairWithoutPlaintextResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GenerateDataKeyWithoutPlaintextAsyncHelper(const Model::GenerateDataKeyWithoutPlaintextRequest& request, const GenerateDataKeyWithoutPlaintextResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GenerateRandomAsyncHelper(const Model::GenerateRandomRequest& request, const GenerateRandomResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetKeyPolicyAsyncHelper(const Model::GetKeyPolicyRequest& request, const GetKeyPolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetKeyRotationStatusAsyncHelper(const Model::GetKeyRotationStatusRequest& request, const GetKeyRotationStatusResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetParametersForImportAsyncHelper(const Model::GetParametersForImportRequest& request, const GetParametersForImportResponseReceivedHandler& handler, const std::shared_ptr& context) const; void GetPublicKeyAsyncHelper(const Model::GetPublicKeyRequest& request, const GetPublicKeyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ImportKeyMaterialAsyncHelper(const Model::ImportKeyMaterialRequest& request, const ImportKeyMaterialResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListAliasesAsyncHelper(const Model::ListAliasesRequest& request, const ListAliasesResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListGrantsAsyncHelper(const Model::ListGrantsRequest& request, const ListGrantsResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListKeyPoliciesAsyncHelper(const Model::ListKeyPoliciesRequest& request, const ListKeyPoliciesResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListKeysAsyncHelper(const Model::ListKeysRequest& request, const ListKeysResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListResourceTagsAsyncHelper(const Model::ListResourceTagsRequest& request, const ListResourceTagsResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ListRetirableGrantsAsyncHelper(const Model::ListRetirableGrantsRequest& request, const ListRetirableGrantsResponseReceivedHandler& handler, const std::shared_ptr& context) const; void PutKeyPolicyAsyncHelper(const Model::PutKeyPolicyRequest& request, const PutKeyPolicyResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ReEncryptAsyncHelper(const Model::ReEncryptRequest& request, const ReEncryptResponseReceivedHandler& handler, const std::shared_ptr& context) const; void RetireGrantAsyncHelper(const Model::RetireGrantRequest& request, const RetireGrantResponseReceivedHandler& handler, const std::shared_ptr& context) const; void RevokeGrantAsyncHelper(const Model::RevokeGrantRequest& request, const RevokeGrantResponseReceivedHandler& handler, const std::shared_ptr& context) const; void ScheduleKeyDeletionAsyncHelper(const Model::ScheduleKeyDeletionRequest& request, const ScheduleKeyDeletionResponseReceivedHandler& handler, const std::shared_ptr& context) const; void SignAsyncHelper(const Model::SignRequest& request, const SignResponseReceivedHandler& handler, const std::shared_ptr& context) const; void TagResourceAsyncHelper(const Model::TagResourceRequest& request, const TagResourceResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UntagResourceAsyncHelper(const Model::UntagResourceRequest& request, const UntagResourceResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UpdateAliasAsyncHelper(const Model::UpdateAliasRequest& request, const UpdateAliasResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UpdateCustomKeyStoreAsyncHelper(const Model::UpdateCustomKeyStoreRequest& request, const UpdateCustomKeyStoreResponseReceivedHandler& handler, const std::shared_ptr& context) const; void UpdateKeyDescriptionAsyncHelper(const Model::UpdateKeyDescriptionRequest& request, const UpdateKeyDescriptionResponseReceivedHandler& handler, const std::shared_ptr& context) const; void VerifyAsyncHelper(const Model::VerifyRequest& request, const VerifyResponseReceivedHandler& handler, const std::shared_ptr& context) const; Aws::String m_uri; Aws::String m_configScheme; std::shared_ptr m_executor; }; } // namespace KMS } // namespace Aws