1 | import * as iam from '@aws-cdk/aws-iam';
|
2 | import { IResource, RemovalPolicy, Resource, Duration } from '@aws-cdk/core';
|
3 | import { Construct } from 'constructs';
|
4 | import { Alias } from './alias';
|
5 | import { KeyLookupOptions } from './key-lookup';
|
6 | import { CfnKey } from './kms.generated';
|
7 | /**
|
8 | * A KMS Key, either managed by this CDK app, or imported.
|
9 | */
|
10 | export interface IKey extends IResource {
|
11 | /**
|
12 | * The ARN of the key.
|
13 | *
|
14 | * @attribute
|
15 | */
|
16 | readonly keyArn: string;
|
17 | /**
|
18 | * The ID of the key
|
19 | * (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
|
20 | *
|
21 | * @attribute
|
22 | */
|
23 | readonly keyId: string;
|
24 | /**
|
25 | * Defines a new alias for the key.
|
26 | */
|
27 | addAlias(alias: string): Alias;
|
28 | /**
|
29 | * Adds a statement to the KMS key resource policy.
|
30 | * @param statement The policy statement to add
|
31 | * @param allowNoOp If this is set to `false` and there is no policy
|
32 | * defined (i.e. external key), the operation will fail. Otherwise, it will
|
33 | * no-op.
|
34 | */
|
35 | addToResourcePolicy(statement: iam.PolicyStatement, allowNoOp?: boolean): iam.AddToResourcePolicyResult;
|
36 | /**
|
37 | * Grant the indicated permissions on this key to the given principal
|
38 | */
|
39 | grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
|
40 | /**
|
41 | * Grant decryption permissions using this key to the given principal
|
42 | */
|
43 | grantDecrypt(grantee: iam.IGrantable): iam.Grant;
|
44 | /**
|
45 | * Grant encryption permissions using this key to the given principal
|
46 | */
|
47 | grantEncrypt(grantee: iam.IGrantable): iam.Grant;
|
48 | /**
|
49 | * Grant encryption and decryption permissions using this key to the given principal
|
50 | */
|
51 | grantEncryptDecrypt(grantee: iam.IGrantable): iam.Grant;
|
52 | }
|
53 | declare abstract class KeyBase extends Resource implements IKey {
|
54 | /**
|
55 | * The ARN of the key.
|
56 | */
|
57 | abstract readonly keyArn: string;
|
58 | abstract readonly keyId: string;
|
59 | /**
|
60 | * Optional policy document that represents the resource policy of this key.
|
61 | *
|
62 | * If specified, addToResourcePolicy can be used to edit this policy.
|
63 | * Otherwise this method will no-op.
|
64 | */
|
65 | protected abstract readonly policy?: iam.PolicyDocument;
|
66 | /**
|
67 | * Optional property to control trusting account identities.
|
68 | *
|
69 | * If specified, grants will default identity policies instead of to both
|
70 | * resource and identity policies. This matches the default behavior when creating
|
71 | * KMS keys via the API or console.
|
72 | */
|
73 | protected abstract readonly trustAccountIdentities: boolean;
|
74 | /**
|
75 | * Collection of aliases added to the key
|
76 | *
|
77 | * Tracked to determine whether or not the aliasName should be added to the end of its ID
|
78 | */
|
79 | private readonly aliases;
|
80 | /**
|
81 | * Defines a new alias for the key.
|
82 | */
|
83 | addAlias(aliasName: string): Alias;
|
84 | /**
|
85 | * Adds a statement to the KMS key resource policy.
|
86 | * @param statement The policy statement to add
|
87 | * @param allowNoOp If this is set to `false` and there is no policy
|
88 | * defined (i.e. external key), the operation will fail. Otherwise, it will
|
89 | * no-op.
|
90 | */
|
91 | addToResourcePolicy(statement: iam.PolicyStatement, allowNoOp?: boolean): iam.AddToResourcePolicyResult;
|
92 | protected validate(): string[];
|
93 | /**
|
94 | * Grant the indicated permissions on this key to the given principal
|
95 | *
|
96 | * This modifies both the principal's policy as well as the resource policy,
|
97 | * since the default CloudFormation setup for KMS keys is that the policy
|
98 | * must not be empty and so default grants won't work.
|
99 | */
|
100 | grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
|
101 | /**
|
102 | * Grant decryption permissions using this key to the given principal
|
103 | */
|
104 | grantDecrypt(grantee: iam.IGrantable): iam.Grant;
|
105 | /**
|
106 | * Grant encryption permissions using this key to the given principal
|
107 | */
|
108 | grantEncrypt(grantee: iam.IGrantable): iam.Grant;
|
109 | /**
|
110 | * Grant encryption and decryption permissions using this key to the given principal
|
111 | */
|
112 | grantEncryptDecrypt(grantee: iam.IGrantable): iam.Grant;
|
113 | /**
|
114 | * Checks whether the grantee belongs to a stack that will be deployed
|
115 | * after the stack containing this key.
|
116 | *
|
117 | * @param grantee the grantee to give permissions to
|
118 | * @returns the account ID of the grantee stack if its stack does depend on this stack,
|
119 | * undefined otherwise
|
120 | */
|
121 | private granteeStackDependsOnKeyStack;
|
122 | private principalIsANewlyCreatedResource;
|
123 | private isGranteeFromAnotherRegion;
|
124 | private isGranteeFromAnotherAccount;
|
125 | }
|
126 | /**
|
127 | * The key spec, represents the cryptographic configuration of keys.
|
128 | */
|
129 | export declare enum KeySpec {
|
130 | /**
|
131 | * The default key spec.
|
132 | *
|
133 | * Valid usage: ENCRYPT_DECRYPT
|
134 | */
|
135 | SYMMETRIC_DEFAULT = "SYMMETRIC_DEFAULT",
|
136 | /**
|
137 | * RSA with 2048 bits of key.
|
138 | *
|
139 | * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
|
140 | */
|
141 | RSA_2048 = "RSA_2048",
|
142 | /**
|
143 | * RSA with 3072 bits of key.
|
144 | *
|
145 | * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
|
146 | */
|
147 | RSA_3072 = "RSA_3072",
|
148 | /**
|
149 | * RSA with 4096 bits of key.
|
150 | *
|
151 | * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
|
152 | */
|
153 | RSA_4096 = "RSA_4096",
|
154 | /**
|
155 | * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
|
156 | * SHA-256 for the message digest.
|
157 | *
|
158 | * Valid usage: SIGN_VERIFY
|
159 | */
|
160 | ECC_NIST_P256 = "ECC_NIST_P256",
|
161 | /**
|
162 | * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
|
163 | * SHA-384 for the message digest.
|
164 | *
|
165 | * Valid usage: SIGN_VERIFY
|
166 | */
|
167 | ECC_NIST_P384 = "ECC_NIST_P384",
|
168 | /**
|
169 | * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
|
170 | * SHA-512 for the message digest.
|
171 | *
|
172 | * Valid usage: SIGN_VERIFY
|
173 | */
|
174 | ECC_NIST_P521 = "ECC_NIST_P521",
|
175 | /**
|
176 | * Standards for Efficient Cryptography 2, Section 2.4.1, ECDSA signature on the Koblitz curve.
|
177 | *
|
178 | * Valid usage: SIGN_VERIFY
|
179 | */
|
180 | ECC_SECG_P256K1 = "ECC_SECG_P256K1"
|
181 | }
|
182 | /**
|
183 | * The key usage, represents the cryptographic operations of keys.
|
184 | */
|
185 | export declare enum KeyUsage {
|
186 | /**
|
187 | * Encryption and decryption.
|
188 | */
|
189 | ENCRYPT_DECRYPT = "ENCRYPT_DECRYPT",
|
190 | /**
|
191 | * Signing and verification
|
192 | */
|
193 | SIGN_VERIFY = "SIGN_VERIFY"
|
194 | }
|
195 | /**
|
196 | * Construction properties for a KMS Key object
|
197 | */
|
198 | export interface KeyProps {
|
199 | /**
|
200 | * A description of the key. Use a description that helps your users decide
|
201 | * whether the key is appropriate for a particular task.
|
202 | *
|
203 | * @default - No description.
|
204 | */
|
205 | readonly description?: string;
|
206 | /**
|
207 | * Initial alias to add to the key
|
208 | *
|
209 | * More aliases can be added later by calling `addAlias`.
|
210 | *
|
211 | * @default - No alias is added for the key.
|
212 | */
|
213 | readonly alias?: string;
|
214 | /**
|
215 | * Indicates whether AWS KMS rotates the key.
|
216 | *
|
217 | * @default false
|
218 | */
|
219 | readonly enableKeyRotation?: boolean;
|
220 | /**
|
221 | * Indicates whether the key is available for use.
|
222 | *
|
223 | * @default - Key is enabled.
|
224 | */
|
225 | readonly enabled?: boolean;
|
226 | /**
|
227 | * The cryptographic configuration of the key. The valid value depends on usage of the key.
|
228 | *
|
229 | * IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion
|
230 | * and a new key is created with the specified value.
|
231 | *
|
232 | * @default KeySpec.SYMMETRIC_DEFAULT
|
233 | */
|
234 | readonly keySpec?: KeySpec;
|
235 | /**
|
236 | * The cryptographic operations for which the key can be used.
|
237 | *
|
238 | * IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion
|
239 | * and a new key is created with the specified value.
|
240 | *
|
241 | * @default KeyUsage.ENCRYPT_DECRYPT
|
242 | */
|
243 | readonly keyUsage?: KeyUsage;
|
244 | /**
|
245 | * Custom policy document to attach to the KMS key.
|
246 | *
|
247 | * NOTE - If the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set (the default for new projects),
|
248 | * this policy will *override* the default key policy and become the only key policy for the key. If the
|
249 | * feature flag is not set, this policy will be appended to the default key policy.
|
250 | *
|
251 | * @default - A policy document with permissions for the account root to
|
252 | * administer the key will be created.
|
253 | */
|
254 | readonly policy?: iam.PolicyDocument;
|
255 | /**
|
256 | * A list of principals to add as key administrators to the key policy.
|
257 | *
|
258 | * Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions
|
259 | * to use the key in cryptographic operations (e.g., encrypt, decrypt).
|
260 | *
|
261 | * These principals will be added to the default key policy (if none specified), or to the specified policy (if provided).
|
262 | *
|
263 | * @default []
|
264 | */
|
265 | readonly admins?: iam.IPrincipal[];
|
266 | /**
|
267 | * Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to
|
268 | * retain access to data that was encrypted with a key that is being retired.
|
269 | *
|
270 | * @default RemovalPolicy.Retain
|
271 | */
|
272 | readonly removalPolicy?: RemovalPolicy;
|
273 | /**
|
274 | * Whether the key usage can be granted by IAM policies
|
275 | *
|
276 | * Setting this to true adds a default statement which delegates key
|
277 | * access control completely to the identity's IAM policy (similar
|
278 | * to how it works for other AWS resources). This matches the default behavior
|
279 | * when creating KMS keys via the API or console.
|
280 | *
|
281 | * If the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set (the default for new projects),
|
282 | * this flag will always be treated as 'true' and does not need to be explicitly set.
|
283 | *
|
284 | * @default - false, unless the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set.
|
285 | * @see https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
|
286 | * @deprecated redundant with the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag
|
287 | */
|
288 | readonly trustAccountIdentities?: boolean;
|
289 | /**
|
290 | * Specifies the number of days in the waiting period before
|
291 | * AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
|
292 | *
|
293 | * When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion
|
294 | * and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period.
|
295 | * During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in
|
296 | * cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK.
|
297 | *
|
298 | * Enter a value between 7 and 30 days.
|
299 | *
|
300 | * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-pendingwindowindays
|
301 | * @default - 30 days
|
302 | */
|
303 | readonly pendingWindow?: Duration;
|
304 | }
|
305 | /**
|
306 | * Defines a KMS key.
|
307 | *
|
308 | * @resource AWS::KMS::Key
|
309 | */
|
310 | export declare class Key extends KeyBase {
|
311 | /**
|
312 | * Import an externally defined KMS Key using its ARN.
|
313 | *
|
314 | * @param scope the construct that will "own" the imported key.
|
315 | * @param id the id of the imported key in the construct tree.
|
316 | * @param keyArn the ARN of an existing KMS key.
|
317 | */
|
318 | static fromKeyArn(scope: Construct, id: string, keyArn: string): IKey;
|
319 | /**
|
320 | * Create a mutable {@link IKey} based on a low-level {@link CfnKey}.
|
321 | * This is most useful when combined with the cloudformation-include module.
|
322 | * This method is different than {@link fromKeyArn()} because the {@link IKey}
|
323 | * returned from this method is mutable;
|
324 | * meaning, calling any mutating methods on it,
|
325 | * like {@link IKey.addToResourcePolicy()},
|
326 | * will actually be reflected in the resulting template,
|
327 | * as opposed to the object returned from {@link fromKeyArn()},
|
328 | * on which calling those methods would have no effect.
|
329 | */
|
330 | static fromCfnKey(cfnKey: CfnKey): IKey;
|
331 | /**
|
332 | * Import an existing Key by querying the AWS environment this stack is deployed to.
|
333 | *
|
334 | * This function only needs to be used to use Keys not defined in your CDK
|
335 | * application. If you are looking to share a Key between stacks, you can
|
336 | * pass the `Key` object between stacks and use it as normal. In addition,
|
337 | * it's not necessary to use this method if an interface accepts an `IKey`.
|
338 | * In this case, `Alias.fromAliasName()` can be used which returns an alias
|
339 | * that extends `IKey`.
|
340 | *
|
341 | * Calling this method will lead to a lookup when the CDK CLI is executed.
|
342 | * You can therefore not use any values that will only be available at
|
343 | * CloudFormation execution time (i.e., Tokens).
|
344 | *
|
345 | * The Key information will be cached in `cdk.context.json` and the same Key
|
346 | * will be used on future runs. To refresh the lookup, you will have to
|
347 | * evict the value from the cache using the `cdk context` command. See
|
348 | * https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
|
349 | */
|
350 | static fromLookup(scope: Construct, id: string, options: KeyLookupOptions): IKey;
|
351 | readonly keyArn: string;
|
352 | readonly keyId: string;
|
353 | protected readonly policy?: iam.PolicyDocument;
|
354 | protected readonly trustAccountIdentities: boolean;
|
355 | constructor(scope: Construct, id: string, props?: KeyProps);
|
356 | /**
|
357 | * Grant admins permissions using this key to the given principal
|
358 | *
|
359 | * Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions
|
360 | * to use the key in cryptographic operations (e.g., encrypt, decrypt).
|
361 | */
|
362 | grantAdmin(grantee: iam.IGrantable): iam.Grant;
|
363 | /**
|
364 | * Adds the default key policy to the key. This policy gives the AWS account (root user) full access to the CMK,
|
365 | * which reduces the risk of the CMK becoming unmanageable and enables IAM policies to allow access to the CMK.
|
366 | * This is the same policy that is default when creating a Key via the KMS API or Console.
|
367 | * @see https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
368 | */
|
369 | private addDefaultAdminPolicy;
|
370 | /**
|
371 | * Grants the account admin privileges -- not full account access -- plus the GenerateDataKey action.
|
372 | * The GenerateDataKey action was added for interop with S3 in https://github.com/aws/aws-cdk/issues/3458.
|
373 | *
|
374 | * This policy is discouraged and deprecated by the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag.
|
375 | *
|
376 | * @link https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
|
377 | * @deprecated
|
378 | */
|
379 | private addLegacyAdminPolicy;
|
380 | }
|
381 | export {};
|