/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include #include #include namespace Aws { namespace KMS { namespace Model { /** */ class AWS_KMS_API CreateKeyRequest : public KMSRequest { public: CreateKeyRequest(); // Service request name is the Operation name which will send this request out, // each operation should has unique request name, so that we can get operation's name from this request. // Note: this is not true for response, multiple operations may have the same response name, // so we can not get operation's name from response. inline virtual const char* GetServiceRequestName() const override { return "CreateKey"; } Aws::String SerializePayload() const override; Aws::Http::HeaderValueCollection GetRequestSpecificHeaders() const override; /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline const Aws::String& GetPolicy() const{ return m_policy; } /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline bool PolicyHasBeenSet() const { return m_policyHasBeenSet; } /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline void SetPolicy(const Aws::String& value) { m_policyHasBeenSet = true; m_policy = value; } /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline void SetPolicy(Aws::String&& value) { m_policyHasBeenSet = true; m_policy = std::move(value); } /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline void SetPolicy(const char* value) { m_policyHasBeenSet = true; m_policy.assign(value); } /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline CreateKeyRequest& WithPolicy(const Aws::String& value) { SetPolicy(value); return *this;} /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline CreateKeyRequest& WithPolicy(Aws::String&& value) { SetPolicy(std::move(value)); return *this;} /** *

The key policy to attach to the CMK.

If you provide a key policy, it * must meet the following criteria:

  • If you don't set * BypassPolicyLockoutSafetyCheck to true, the key policy must allow * the principal that is making the CreateKey request to make a * subsequent PutKeyPolicy request on the CMK. This reduces the risk that * the CMK becomes unmanageable. For more information, refer to the scenario in the * Default * Key Policy section of the AWS Key Management Service Developer * Guide .

  • Each statement in the key policy must contain * one or more principals. The principals in the key policy must exist and be * visible to AWS KMS. When you create a new AWS principal (for example, an IAM * user or role), you might need to enforce a delay before including the new * principal in a key policy because the new principal might not be immediately * visible to AWS KMS. For more information, see Changes * that I make are not always immediately visible in the AWS Identity and * Access Management User Guide.

If you do not provide a key * policy, AWS KMS attaches a default key policy to the CMK. For more information, * see Default * Key Policy in the AWS Key Management Service Developer Guide.

*

The key policy size quota is 32 kilobytes (32768 bytes).

*/ inline CreateKeyRequest& WithPolicy(const char* value) { SetPolicy(value); return *this;} /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline const Aws::String& GetDescription() const{ return m_description; } /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline bool DescriptionHasBeenSet() const { return m_descriptionHasBeenSet; } /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline void SetDescription(const Aws::String& value) { m_descriptionHasBeenSet = true; m_description = value; } /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline void SetDescription(Aws::String&& value) { m_descriptionHasBeenSet = true; m_description = std::move(value); } /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline void SetDescription(const char* value) { m_descriptionHasBeenSet = true; m_description.assign(value); } /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline CreateKeyRequest& WithDescription(const Aws::String& value) { SetDescription(value); return *this;} /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline CreateKeyRequest& WithDescription(Aws::String&& value) { SetDescription(std::move(value)); return *this;} /** *

A description of the CMK.

Use a description that helps you decide * whether the CMK is appropriate for a task.

*/ inline CreateKeyRequest& WithDescription(const char* value) { SetDescription(value); return *this;} /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline const KeyUsageType& GetKeyUsage() const{ return m_keyUsage; } /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline bool KeyUsageHasBeenSet() const { return m_keyUsageHasBeenSet; } /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline void SetKeyUsage(const KeyUsageType& value) { m_keyUsageHasBeenSet = true; m_keyUsage = value; } /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline void SetKeyUsage(KeyUsageType&& value) { m_keyUsageHasBeenSet = true; m_keyUsage = std::move(value); } /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline CreateKeyRequest& WithKeyUsage(const KeyUsageType& value) { SetKeyUsage(value); return *this;} /** *

Determines the cryptographic * operations for which you can use the CMK. The default value is * ENCRYPT_DECRYPT. This parameter is required only for asymmetric * CMKs. You can't change the KeyUsage value after the CMK is * created.

Select only one valid value.

  • For symmetric * CMKs, omit the parameter or specify ENCRYPT_DECRYPT.

  • *

    For asymmetric CMKs with RSA key material, specify * ENCRYPT_DECRYPT or SIGN_VERIFY.

  • For * asymmetric CMKs with ECC key material, specify SIGN_VERIFY.

    *
*/ inline CreateKeyRequest& WithKeyUsage(KeyUsageType&& value) { SetKeyUsage(std::move(value)); return *this;} /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline const CustomerMasterKeySpec& GetCustomerMasterKeySpec() const{ return m_customerMasterKeySpec; } /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline bool CustomerMasterKeySpecHasBeenSet() const { return m_customerMasterKeySpecHasBeenSet; } /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline void SetCustomerMasterKeySpec(const CustomerMasterKeySpec& value) { m_customerMasterKeySpecHasBeenSet = true; m_customerMasterKeySpec = value; } /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline void SetCustomerMasterKeySpec(CustomerMasterKeySpec&& value) { m_customerMasterKeySpecHasBeenSet = true; m_customerMasterKeySpec = std::move(value); } /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline CreateKeyRequest& WithCustomerMasterKeySpec(const CustomerMasterKeySpec& value) { SetCustomerMasterKeySpec(value); return *this;} /** *

Specifies the type of CMK to create. The default value, * SYMMETRIC_DEFAULT, creates a CMK with a 256-bit symmetric key for * encryption and decryption. For help choosing a key spec for your CMK, see How * to Choose Your CMK Configuration in the AWS Key Management Service * Developer Guide.

The CustomerMasterKeySpec determines * whether the CMK contains a symmetric key or an asymmetric key pair. It also * determines the encryption algorithms or signing algorithms that the CMK * supports. You can't change the CustomerMasterKeySpec after the CMK * is created. To further restrict the algorithms that can be used with the CMK, * use a condition key in its key policy or IAM policy. For more information, see * kms:EncryptionAlgorithm * or kms:Signing * Algorithm in the AWS Key Management Service Developer Guide.

*

AWS services * that are integrated with AWS KMS use symmetric CMKs to protect your data. * These services do not support asymmetric CMKs. For help determining whether a * CMK is symmetric or asymmetric, see Identifying * Symmetric and Asymmetric CMKs in the AWS Key Management Service Developer * Guide.

AWS KMS supports the following key specs for * CMKs:

  • Symmetric key (default)

    • * SYMMETRIC_DEFAULT (AES-256-GCM)

  • *

    Asymmetric RSA key pairs

    • RSA_2048

      • *

    • RSA_3072

    • RSA_4096

      *

  • Asymmetric NIST-recommended elliptic curve key * pairs

    • ECC_NIST_P256 (secp256r1)

    • *

      ECC_NIST_P384 (secp384r1)

    • * ECC_NIST_P521 (secp521r1)

  • Other * asymmetric elliptic curve key pairs

    • * ECC_SECG_P256K1 (secp256k1), commonly used for * cryptocurrencies.

*/ inline CreateKeyRequest& WithCustomerMasterKeySpec(CustomerMasterKeySpec&& value) { SetCustomerMasterKeySpec(std::move(value)); return *this;} /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline const OriginType& GetOrigin() const{ return m_origin; } /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline bool OriginHasBeenSet() const { return m_originHasBeenSet; } /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline void SetOrigin(const OriginType& value) { m_originHasBeenSet = true; m_origin = value; } /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline void SetOrigin(OriginType&& value) { m_originHasBeenSet = true; m_origin = std::move(value); } /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline CreateKeyRequest& WithOrigin(const OriginType& value) { SetOrigin(value); return *this;} /** *

The source of the key material for the CMK. You cannot change the origin * after you create the CMK. The default is AWS_KMS, which means AWS * KMS creates the key material.

When the parameter value is * EXTERNAL, AWS KMS creates a CMK without key material so that you * can import key material from your existing key management infrastructure. For * more information about importing key material into AWS KMS, see Importing * Key Material in the AWS Key Management Service Developer Guide. This * value is valid only for symmetric CMKs.

When the parameter value is * AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS KMS custom * key store and creates its key material in the associated AWS CloudHSM * cluster. You must also use the CustomKeyStoreId parameter to * identify the custom key store. This value is valid only for symmetric CMKs.

*/ inline CreateKeyRequest& WithOrigin(OriginType&& value) { SetOrigin(std::move(value)); return *this;} /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline const Aws::String& GetCustomKeyStoreId() const{ return m_customKeyStoreId; } /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline bool CustomKeyStoreIdHasBeenSet() const { return m_customKeyStoreIdHasBeenSet; } /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline void SetCustomKeyStoreId(const Aws::String& value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId = value; } /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline void SetCustomKeyStoreId(Aws::String&& value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId = std::move(value); } /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline void SetCustomKeyStoreId(const char* value) { m_customKeyStoreIdHasBeenSet = true; m_customKeyStoreId.assign(value); } /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(const Aws::String& value) { SetCustomKeyStoreId(value); return *this;} /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(Aws::String&& value) { SetCustomKeyStoreId(std::move(value)); return *this;} /** *

Creates the CMK in the specified custom * key store and the key material in its associated AWS CloudHSM cluster. To * create a CMK in a custom key store, you must also specify the * Origin parameter with a value of AWS_CLOUDHSM. The AWS * CloudHSM cluster that is associated with the custom key store must have at least * two active HSMs, each in a different Availability Zone in the Region.

*

This parameter is valid only for symmetric CMKs. You cannot create an * asymmetric CMK in a custom key store.

To find the ID of a custom key * store, use the DescribeCustomKeyStores operation.

The response * includes the custom key store ID and the ID of the AWS CloudHSM cluster.

*

This operation is part of the Custom * Key Store feature feature in AWS KMS, which combines the convenience and * extensive integration of AWS KMS with the isolation and control of a * single-tenant key store.

*/ inline CreateKeyRequest& WithCustomKeyStoreId(const char* value) { SetCustomKeyStoreId(value); return *this;} /** *

A flag to indicate whether to bypass the key policy lockout safety check.

*

Setting this value to true increases the risk that the CMK * becomes unmanageable. Do not set this value to true indiscriminately.

For * more information, refer to the scenario in the Default * Key Policy section in the AWS Key Management Service Developer * Guide .

Use this parameter only when you include a * policy in the request and you intend to prevent the principal that is making the * request from making a subsequent PutKeyPolicy request on the CMK.

*

The default value is false.

*/ inline bool GetBypassPolicyLockoutSafetyCheck() const{ return m_bypassPolicyLockoutSafetyCheck; } /** *

A flag to indicate whether to bypass the key policy lockout safety check.

*

Setting this value to true increases the risk that the CMK * becomes unmanageable. Do not set this value to true indiscriminately.

For * more information, refer to the scenario in the Default * Key Policy section in the AWS Key Management Service Developer * Guide .

Use this parameter only when you include a * policy in the request and you intend to prevent the principal that is making the * request from making a subsequent PutKeyPolicy request on the CMK.

*

The default value is false.

*/ inline bool BypassPolicyLockoutSafetyCheckHasBeenSet() const { return m_bypassPolicyLockoutSafetyCheckHasBeenSet; } /** *

A flag to indicate whether to bypass the key policy lockout safety check.

*

Setting this value to true increases the risk that the CMK * becomes unmanageable. Do not set this value to true indiscriminately.

For * more information, refer to the scenario in the Default * Key Policy section in the AWS Key Management Service Developer * Guide .

Use this parameter only when you include a * policy in the request and you intend to prevent the principal that is making the * request from making a subsequent PutKeyPolicy request on the CMK.

*

The default value is false.

*/ inline void SetBypassPolicyLockoutSafetyCheck(bool value) { m_bypassPolicyLockoutSafetyCheckHasBeenSet = true; m_bypassPolicyLockoutSafetyCheck = value; } /** *

A flag to indicate whether to bypass the key policy lockout safety check.

*

Setting this value to true increases the risk that the CMK * becomes unmanageable. Do not set this value to true indiscriminately.

For * more information, refer to the scenario in the Default * Key Policy section in the AWS Key Management Service Developer * Guide .

Use this parameter only when you include a * policy in the request and you intend to prevent the principal that is making the * request from making a subsequent PutKeyPolicy request on the CMK.

*

The default value is false.

*/ inline CreateKeyRequest& WithBypassPolicyLockoutSafetyCheck(bool value) { SetBypassPolicyLockoutSafetyCheck(value); return *this;} /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline const Aws::Vector& GetTags() const{ return m_tags; } /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline bool TagsHasBeenSet() const { return m_tagsHasBeenSet; } /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline void SetTags(const Aws::Vector& value) { m_tagsHasBeenSet = true; m_tags = value; } /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline void SetTags(Aws::Vector&& value) { m_tagsHasBeenSet = true; m_tags = std::move(value); } /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline CreateKeyRequest& WithTags(const Aws::Vector& value) { SetTags(value); return *this;} /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline CreateKeyRequest& WithTags(Aws::Vector&& value) { SetTags(std::move(value)); return *this;} /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline CreateKeyRequest& AddTags(const Tag& value) { m_tagsHasBeenSet = true; m_tags.push_back(value); return *this; } /** *

One or more tags. Each tag consists of a tag key and a tag value. Both the * tag key and the tag value are required, but the tag value can be an empty (null) * string.

When you add tags to an AWS resource, AWS generates a cost * allocation report with usage and costs aggregated by tags. For information about * adding, changing, deleting and listing tags for CMKs, see Tagging * Keys.

Use this parameter to tag the CMK when it is created. To add * tags to an existing CMK, use the TagResource operation.

*/ inline CreateKeyRequest& AddTags(Tag&& value) { m_tagsHasBeenSet = true; m_tags.push_back(std::move(value)); return *this; } private: Aws::String m_policy; bool m_policyHasBeenSet; Aws::String m_description; bool m_descriptionHasBeenSet; KeyUsageType m_keyUsage; bool m_keyUsageHasBeenSet; CustomerMasterKeySpec m_customerMasterKeySpec; bool m_customerMasterKeySpecHasBeenSet; OriginType m_origin; bool m_originHasBeenSet; Aws::String m_customKeyStoreId; bool m_customKeyStoreIdHasBeenSet; bool m_bypassPolicyLockoutSafetyCheck; bool m_bypassPolicyLockoutSafetyCheckHasBeenSet; Aws::Vector m_tags; bool m_tagsHasBeenSet; }; } // namespace Model } // namespace KMS } // namespace Aws