UNPKG

15 kBTypeScriptView Raw
1import * as iam from '@aws-cdk/aws-iam';
2import { IResource, RemovalPolicy, Resource, Duration } from '@aws-cdk/core';
3import { Construct } from 'constructs';
4import { Alias } from './alias';
5import { KeyLookupOptions } from './key-lookup';
6import { CfnKey } from './kms.generated';
7/**
8 * A KMS Key, either managed by this CDK app, or imported.
9 */
10export interface IKey extends IResource {
11 /**
12 * The ARN of the key.
13 *
14 * @attribute
15 */
16 readonly keyArn: string;
17 /**
18 * The ID of the key
19 * (the part that looks something like: 1234abcd-12ab-34cd-56ef-1234567890ab).
20 *
21 * @attribute
22 */
23 readonly keyId: string;
24 /**
25 * Defines a new alias for the key.
26 */
27 addAlias(alias: string): Alias;
28 /**
29 * Adds a statement to the KMS key resource policy.
30 * @param statement The policy statement to add
31 * @param allowNoOp If this is set to `false` and there is no policy
32 * defined (i.e. external key), the operation will fail. Otherwise, it will
33 * no-op.
34 */
35 addToResourcePolicy(statement: iam.PolicyStatement, allowNoOp?: boolean): iam.AddToResourcePolicyResult;
36 /**
37 * Grant the indicated permissions on this key to the given principal
38 */
39 grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
40 /**
41 * Grant decryption permissions using this key to the given principal
42 */
43 grantDecrypt(grantee: iam.IGrantable): iam.Grant;
44 /**
45 * Grant encryption permissions using this key to the given principal
46 */
47 grantEncrypt(grantee: iam.IGrantable): iam.Grant;
48 /**
49 * Grant encryption and decryption permissions using this key to the given principal
50 */
51 grantEncryptDecrypt(grantee: iam.IGrantable): iam.Grant;
52}
53declare abstract class KeyBase extends Resource implements IKey {
54 /**
55 * The ARN of the key.
56 */
57 abstract readonly keyArn: string;
58 abstract readonly keyId: string;
59 /**
60 * Optional policy document that represents the resource policy of this key.
61 *
62 * If specified, addToResourcePolicy can be used to edit this policy.
63 * Otherwise this method will no-op.
64 */
65 protected abstract readonly policy?: iam.PolicyDocument;
66 /**
67 * Optional property to control trusting account identities.
68 *
69 * If specified, grants will default identity policies instead of to both
70 * resource and identity policies. This matches the default behavior when creating
71 * KMS keys via the API or console.
72 */
73 protected abstract readonly trustAccountIdentities: boolean;
74 /**
75 * Collection of aliases added to the key
76 *
77 * Tracked to determine whether or not the aliasName should be added to the end of its ID
78 */
79 private readonly aliases;
80 /**
81 * Defines a new alias for the key.
82 */
83 addAlias(aliasName: string): Alias;
84 /**
85 * Adds a statement to the KMS key resource policy.
86 * @param statement The policy statement to add
87 * @param allowNoOp If this is set to `false` and there is no policy
88 * defined (i.e. external key), the operation will fail. Otherwise, it will
89 * no-op.
90 */
91 addToResourcePolicy(statement: iam.PolicyStatement, allowNoOp?: boolean): iam.AddToResourcePolicyResult;
92 protected validate(): string[];
93 /**
94 * Grant the indicated permissions on this key to the given principal
95 *
96 * This modifies both the principal's policy as well as the resource policy,
97 * since the default CloudFormation setup for KMS keys is that the policy
98 * must not be empty and so default grants won't work.
99 */
100 grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
101 /**
102 * Grant decryption permissions using this key to the given principal
103 */
104 grantDecrypt(grantee: iam.IGrantable): iam.Grant;
105 /**
106 * Grant encryption permissions using this key to the given principal
107 */
108 grantEncrypt(grantee: iam.IGrantable): iam.Grant;
109 /**
110 * Grant encryption and decryption permissions using this key to the given principal
111 */
112 grantEncryptDecrypt(grantee: iam.IGrantable): iam.Grant;
113 /**
114 * Checks whether the grantee belongs to a stack that will be deployed
115 * after the stack containing this key.
116 *
117 * @param grantee the grantee to give permissions to
118 * @returns the account ID of the grantee stack if its stack does depend on this stack,
119 * undefined otherwise
120 */
121 private granteeStackDependsOnKeyStack;
122 private principalIsANewlyCreatedResource;
123 private isGranteeFromAnotherRegion;
124 private isGranteeFromAnotherAccount;
125}
126/**
127 * The key spec, represents the cryptographic configuration of keys.
128 */
129export declare enum KeySpec {
130 /**
131 * The default key spec.
132 *
133 * Valid usage: ENCRYPT_DECRYPT
134 */
135 SYMMETRIC_DEFAULT = "SYMMETRIC_DEFAULT",
136 /**
137 * RSA with 2048 bits of key.
138 *
139 * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
140 */
141 RSA_2048 = "RSA_2048",
142 /**
143 * RSA with 3072 bits of key.
144 *
145 * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
146 */
147 RSA_3072 = "RSA_3072",
148 /**
149 * RSA with 4096 bits of key.
150 *
151 * Valid usage: ENCRYPT_DECRYPT and SIGN_VERIFY
152 */
153 RSA_4096 = "RSA_4096",
154 /**
155 * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
156 * SHA-256 for the message digest.
157 *
158 * Valid usage: SIGN_VERIFY
159 */
160 ECC_NIST_P256 = "ECC_NIST_P256",
161 /**
162 * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
163 * SHA-384 for the message digest.
164 *
165 * Valid usage: SIGN_VERIFY
166 */
167 ECC_NIST_P384 = "ECC_NIST_P384",
168 /**
169 * NIST FIPS 186-4, Section 6.4, ECDSA signature using the curve specified by the key and
170 * SHA-512 for the message digest.
171 *
172 * Valid usage: SIGN_VERIFY
173 */
174 ECC_NIST_P521 = "ECC_NIST_P521",
175 /**
176 * Standards for Efficient Cryptography 2, Section 2.4.1, ECDSA signature on the Koblitz curve.
177 *
178 * Valid usage: SIGN_VERIFY
179 */
180 ECC_SECG_P256K1 = "ECC_SECG_P256K1"
181}
182/**
183 * The key usage, represents the cryptographic operations of keys.
184 */
185export declare enum KeyUsage {
186 /**
187 * Encryption and decryption.
188 */
189 ENCRYPT_DECRYPT = "ENCRYPT_DECRYPT",
190 /**
191 * Signing and verification
192 */
193 SIGN_VERIFY = "SIGN_VERIFY"
194}
195/**
196 * Construction properties for a KMS Key object
197 */
198export interface KeyProps {
199 /**
200 * A description of the key. Use a description that helps your users decide
201 * whether the key is appropriate for a particular task.
202 *
203 * @default - No description.
204 */
205 readonly description?: string;
206 /**
207 * Initial alias to add to the key
208 *
209 * More aliases can be added later by calling `addAlias`.
210 *
211 * @default - No alias is added for the key.
212 */
213 readonly alias?: string;
214 /**
215 * Indicates whether AWS KMS rotates the key.
216 *
217 * @default false
218 */
219 readonly enableKeyRotation?: boolean;
220 /**
221 * Indicates whether the key is available for use.
222 *
223 * @default - Key is enabled.
224 */
225 readonly enabled?: boolean;
226 /**
227 * The cryptographic configuration of the key. The valid value depends on usage of the key.
228 *
229 * IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion
230 * and a new key is created with the specified value.
231 *
232 * @default KeySpec.SYMMETRIC_DEFAULT
233 */
234 readonly keySpec?: KeySpec;
235 /**
236 * The cryptographic operations for which the key can be used.
237 *
238 * IMPORTANT: If you change this property of an existing key, the existing key is scheduled for deletion
239 * and a new key is created with the specified value.
240 *
241 * @default KeyUsage.ENCRYPT_DECRYPT
242 */
243 readonly keyUsage?: KeyUsage;
244 /**
245 * Custom policy document to attach to the KMS key.
246 *
247 * NOTE - If the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set (the default for new projects),
248 * this policy will *override* the default key policy and become the only key policy for the key. If the
249 * feature flag is not set, this policy will be appended to the default key policy.
250 *
251 * @default - A policy document with permissions for the account root to
252 * administer the key will be created.
253 */
254 readonly policy?: iam.PolicyDocument;
255 /**
256 * A list of principals to add as key administrators to the key policy.
257 *
258 * Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions
259 * to use the key in cryptographic operations (e.g., encrypt, decrypt).
260 *
261 * These principals will be added to the default key policy (if none specified), or to the specified policy (if provided).
262 *
263 * @default []
264 */
265 readonly admins?: iam.IPrincipal[];
266 /**
267 * Whether the encryption key should be retained when it is removed from the Stack. This is useful when one wants to
268 * retain access to data that was encrypted with a key that is being retired.
269 *
270 * @default RemovalPolicy.Retain
271 */
272 readonly removalPolicy?: RemovalPolicy;
273 /**
274 * Whether the key usage can be granted by IAM policies
275 *
276 * Setting this to true adds a default statement which delegates key
277 * access control completely to the identity's IAM policy (similar
278 * to how it works for other AWS resources). This matches the default behavior
279 * when creating KMS keys via the API or console.
280 *
281 * If the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set (the default for new projects),
282 * this flag will always be treated as 'true' and does not need to be explicitly set.
283 *
284 * @default - false, unless the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag is set.
285 * @see https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
286 * @deprecated redundant with the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag
287 */
288 readonly trustAccountIdentities?: boolean;
289 /**
290 * Specifies the number of days in the waiting period before
291 * AWS KMS deletes a CMK that has been removed from a CloudFormation stack.
292 *
293 * When you remove a customer master key (CMK) from a CloudFormation stack, AWS KMS schedules the CMK for deletion
294 * and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period.
295 * During the waiting period, the key state of CMK is Pending Deletion, which prevents the CMK from being used in
296 * cryptographic operations. When the waiting period expires, AWS KMS permanently deletes the CMK.
297 *
298 * Enter a value between 7 and 30 days.
299 *
300 * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-kms-key.html#cfn-kms-key-pendingwindowindays
301 * @default - 30 days
302 */
303 readonly pendingWindow?: Duration;
304}
305/**
306 * Defines a KMS key.
307 *
308 * @resource AWS::KMS::Key
309 */
310export declare class Key extends KeyBase {
311 /**
312 * Import an externally defined KMS Key using its ARN.
313 *
314 * @param scope the construct that will "own" the imported key.
315 * @param id the id of the imported key in the construct tree.
316 * @param keyArn the ARN of an existing KMS key.
317 */
318 static fromKeyArn(scope: Construct, id: string, keyArn: string): IKey;
319 /**
320 * Create a mutable {@link IKey} based on a low-level {@link CfnKey}.
321 * This is most useful when combined with the cloudformation-include module.
322 * This method is different than {@link fromKeyArn()} because the {@link IKey}
323 * returned from this method is mutable;
324 * meaning, calling any mutating methods on it,
325 * like {@link IKey.addToResourcePolicy()},
326 * will actually be reflected in the resulting template,
327 * as opposed to the object returned from {@link fromKeyArn()},
328 * on which calling those methods would have no effect.
329 */
330 static fromCfnKey(cfnKey: CfnKey): IKey;
331 /**
332 * Import an existing Key by querying the AWS environment this stack is deployed to.
333 *
334 * This function only needs to be used to use Keys not defined in your CDK
335 * application. If you are looking to share a Key between stacks, you can
336 * pass the `Key` object between stacks and use it as normal. In addition,
337 * it's not necessary to use this method if an interface accepts an `IKey`.
338 * In this case, `Alias.fromAliasName()` can be used which returns an alias
339 * that extends `IKey`.
340 *
341 * Calling this method will lead to a lookup when the CDK CLI is executed.
342 * You can therefore not use any values that will only be available at
343 * CloudFormation execution time (i.e., Tokens).
344 *
345 * The Key information will be cached in `cdk.context.json` and the same Key
346 * will be used on future runs. To refresh the lookup, you will have to
347 * evict the value from the cache using the `cdk context` command. See
348 * https://docs.aws.amazon.com/cdk/latest/guide/context.html for more information.
349 */
350 static fromLookup(scope: Construct, id: string, options: KeyLookupOptions): IKey;
351 readonly keyArn: string;
352 readonly keyId: string;
353 protected readonly policy?: iam.PolicyDocument;
354 protected readonly trustAccountIdentities: boolean;
355 constructor(scope: Construct, id: string, props?: KeyProps);
356 /**
357 * Grant admins permissions using this key to the given principal
358 *
359 * Key administrators have permissions to manage the key (e.g., change permissions, revoke), but do not have permissions
360 * to use the key in cryptographic operations (e.g., encrypt, decrypt).
361 */
362 grantAdmin(grantee: iam.IGrantable): iam.Grant;
363 /**
364 * Adds the default key policy to the key. This policy gives the AWS account (root user) full access to the CMK,
365 * which reduces the risk of the CMK becoming unmanageable and enables IAM policies to allow access to the CMK.
366 * This is the same policy that is default when creating a Key via the KMS API or Console.
367 * @see https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
368 */
369 private addDefaultAdminPolicy;
370 /**
371 * Grants the account admin privileges -- not full account access -- plus the GenerateDataKey action.
372 * The GenerateDataKey action was added for interop with S3 in https://github.com/aws/aws-cdk/issues/3458.
373 *
374 * This policy is discouraged and deprecated by the `@aws-cdk/aws-kms:defaultKeyPolicies` feature flag.
375 *
376 * @link https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
377 * @deprecated
378 */
379 private addLegacyAdminPolicy;
380}
381export {};