import { Conditions, PolicyDocument, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { IAccessSpec, IAWSServiceAccessGenerator } from './k9policy';
export interface K9KeyPolicyProps {
    readonly k9DesiredAccess: Array<IAccessSpec>;
    readonly trustAccountIdentities?: boolean;
    /**
     * An (optional) array of IAWSServiceAccessGenerator instances which will generate statements to allow access to the
     * key by an AWS service like CloudFront or Kinesis.
     *
     * @default undefined
     */
    readonly awsServiceAccessGenerators?: Array<IAWSServiceAccessGenerator>;
}
export declare const SID_ALLOW_ROOT_AND_IDENTITY_POLICIES = "Allow Root User to Administer Key And Identity Policies";
export declare const SID_DENY_EVERYONE_ELSE = "DenyEveryoneElse";
/**
 * Generate key policy statements to enable the CloudFront service to read encrypted S3 bucket object data (only)
 * from within a <a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#sse-kms">CloudFront OAC integration</a>.
 */
export declare class CloudFrontOACReadAccessGenerator implements IAWSServiceAccessGenerator {
    static readonly SID_ALLOW_CLOUDFRONT_SVC_READ_DATA = "Allow CloudFront Service read-data";
    static readonly SID_ALLOW_CLOUDFRONT_IAM_ROLE_READ_DATA = "Allow CloudFront IAM role read-data";
    readonly distributionArn: string;
    constructor(distributionArn: string);
    makeAllowStatements(): Array<PolicyStatement>;
    makeConditionsToExceptFromDenyEveryoneElse(): Conditions;
}
export declare function makeKeyPolicy(props: K9KeyPolicyProps): PolicyDocument;