import { AccessLevelList } from '../../shared/access-level'; import { PolicyStatement, Operator } from '../../shared'; import { aws_iam as iam } from "aws-cdk-lib"; /** * Statement provider for service [kms](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html). * * @param sid [SID](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html) of the statement */ export declare class Kms extends PolicyStatement { servicePrefix: string; /** * Controls permission to cancel the scheduled deletion of an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html */ toCancelKeyDeletion(): this; /** * Controls permission to connect or reconnect a custom key store to its associated AWS CloudHSM cluster or external key manager outside of AWS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html */ toConnectCustomKeyStore(): this; /** * Controls permission to create an alias for an AWS KMS key. Aliases are optional friendly names that you can associate with KMS keys * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html */ toCreateAlias(): this; /** * Controls permission to create a custom key store that is backed by an AWS CloudHSM cluster or an external key manager outside of AWS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * * Dependent actions: * - cloudhsm:DescribeClusters * - iam:CreateServiceLinkedRole * * https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html */ toCreateCustomKeyStore(): this; /** * Controls permission to add a grant to an AWS KMS key. You can use grants to add permissions without changing the key policy or IAM policy * * Access Level: Permissions management * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifGrantConstraintType() * - .ifGranteePrincipal() * - .ifGrantIsForAWSResource() * - .ifGrantOperations() * - .ifRetiringPrincipal() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html */ toCreateGrant(): this; /** * Controls permission to create an AWS KMS key that can be used to protect data keys and other sensitive information * * Access Level: Write * * Possible conditions: * - .ifAwsResourceTag() * - .ifAwsRequestTag() * - .ifAwsTagKeys() * - .ifBypassPolicyLockoutSafetyCheck() * - .ifCallerAccount() * - .ifKeySpec() * - .ifKeyUsage() * - .ifKeyOrigin() * - .ifMultiRegion() * - .ifMultiRegionKeyType() * - .ifViaService() * * Dependent actions: * - iam:CreateServiceLinkedRole * - kms:PutKeyPolicy * - kms:TagResource * * https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html */ toCreateKey(): this; /** * Controls permission to decrypt ciphertext that was encrypted under an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html */ toDecrypt(): this; /** * Controls permission to delete an alias. Aliases are optional friendly names that you can associate with AWS KMS keys * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html */ toDeleteAlias(): this; /** * Controls permission to delete a custom key store * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html */ toDeleteCustomKeyStore(): this; /** * Controls permission to delete cryptographic material that you imported into an AWS KMS key. This action makes the key unusable * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html */ toDeleteImportedKeyMaterial(): this; /** * Controls permission to use the specified AWS KMS key to derive shared secrets * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifKeyAgreementAlgorithm() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DeriveSharedSecret.html */ toDeriveSharedSecret(): this; /** * Controls permission to view detailed information about custom key stores in the account and region * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html */ toDescribeCustomKeyStores(): this; /** * Controls permission to view detailed information about an AWS KMS key * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html */ toDescribeKey(): this; /** * Controls permission to disable an AWS KMS key, which prevents it from being used in cryptographic operations * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html */ toDisableKey(): this; /** * Controls permission to disable automatic rotation of a customer managed AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKeyRotation.html */ toDisableKeyRotation(): this; /** * Controls permission to disconnect the custom key store from its associated AWS CloudHSM cluster or external key manager outside of AWS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html */ toDisconnectCustomKeyStore(): this; /** * Controls permission to change the state of an AWS KMS key to enabled. This allows the KMS key to be used in cryptographic operations * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html */ toEnableKey(): this; /** * Controls permission to enable automatic rotation of the cryptographic material in an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifRotationPeriodInDays() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html */ toEnableKeyRotation(): this; /** * Controls permission to use the specified AWS KMS key to encrypt data and data keys * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html */ toEncrypt(): this; /** * Controls permission to use the AWS KMS key to generate data keys. You can use the data keys to encrypt data outside of AWS KMS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html */ toGenerateDataKey(): this; /** * Controls permission to use the AWS KMS key to generate data key pairs * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifDataKeyPairSpec() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html */ toGenerateDataKeyPair(): this; /** * Controls permission to use the AWS KMS key to generate data key pairs. Unlike the GenerateDataKeyPair operation, this operation returns an encrypted private key without a plaintext copy * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifDataKeyPairSpec() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html */ toGenerateDataKeyPairWithoutPlaintext(): this; /** * Controls permission to use the AWS KMS key to generate a data key. Unlike the GenerateDataKey operation, this operation returns an encrypted data key without a plaintext version of the data key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html */ toGenerateDataKeyWithoutPlaintext(): this; /** * Controls permission to use the AWS KMS key to generate message authentication codes * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifMacAlgorithm() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html */ toGenerateMac(): this; /** * Controls permission to get a cryptographically secure random byte string from AWS KMS * * Access Level: Write * * Possible conditions: * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * - .ifRecipientAttestation() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html */ toGenerateRandom(): this; /** * Controls permission to view the key policy for the specified AWS KMS key * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html */ toGetKeyPolicy(): this; /** * Controls permission to view the key rotation status for an AWS KMS key * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html */ toGetKeyRotationStatus(): this; /** * Controls permission to get data that is required to import cryptographic material into a customer managed key, including a public key and import token * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * - .ifWrappingAlgorithm() * - .ifWrappingKeySpec() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GetParametersForImport.html */ toGetParametersForImport(): this; /** * Controls permission to download the public key of an asymmetric AWS KMS key * * Access Level: Read * * Possible conditions: * - .ifCallerAccount() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html */ toGetPublicKey(): this; /** * Controls permission to import cryptographic material into an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifExpirationModel() * - .ifValidTo() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html */ toImportKeyMaterial(): this; /** * Controls permission to view the aliases that are defined in the account. Aliases are optional friendly names that you can associate with AWS KMS keys * * Access Level: List * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html */ toListAliases(): this; /** * Controls permission to view all grants for an AWS KMS key * * Access Level: List * * Possible conditions: * - .ifCallerAccount() * - .ifGrantIsForAWSResource() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html */ toListGrants(): this; /** * Controls permission to view the names of key policies for an AWS KMS key * * Access Level: List * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyPolicies.html */ toListKeyPolicies(): this; /** * Controls permission to view the list of completed key rotations for an AWS KMS key * * Access Level: List * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyRotations.html */ toListKeyRotations(): this; /** * Controls permission to view the key ID and Amazon Resource Name (ARN) of all AWS KMS keys in the account * * Access Level: List * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html */ toListKeys(): this; /** * Controls permission to view all tags that are attached to an AWS KMS key * * Access Level: List * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html */ toListResourceTags(): this; /** * Controls permission to view grants in which the specified principal is the retiring principal. Other principals might be able to retire the grant and this principal might be able to retire other grants * * Access Level: List * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ListRetirableGrants.html */ toListRetirableGrants(): this; /** * Controls permission to replace the key policy for the specified AWS KMS key * * Access Level: Permissions management * * Possible conditions: * - .ifBypassPolicyLockoutSafetyCheck() * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html */ toPutKeyPolicy(): this; /** * Controls permission to decrypt data as part of the process that decrypts and reencrypts the data within AWS KMS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifReEncryptOnSameKey() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html */ toReEncryptFrom(): this; /** * Controls permission to encrypt data as part of the process that decrypts and reencrypts the data within AWS KMS * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionAlgorithm() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifReEncryptOnSameKey() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html */ toReEncryptTo(): this; /** * Controls permission to replicate a multi-Region primary key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifReplicaRegion() * - .ifViaService() * * Dependent actions: * - iam:CreateServiceLinkedRole * - kms:CreateKey * - kms:PutKeyPolicy * - kms:TagResource * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html */ toReplicateKey(): this; /** * Controls permission to retire a grant. The RetireGrant operation is typically called by the grant user after they complete the tasks that the grant allowed them to perform * * Access Level: Permissions management * * Possible conditions: * - .ifCallerAccount() * - .ifEncryptionContext() * - .ifEncryptionContextKeys() * - .ifGrantConstraintType() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html */ toRetireGrant(): this; /** * Controls permission to revoke a grant, which denies permission for all operations that depend on the grant * * Access Level: Permissions management * * Possible conditions: * - .ifCallerAccount() * - .ifGrantIsForAWSResource() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html */ toRevokeGrant(): this; /** * Controls permission to invoke on-demand rotation of the cryptographic material in an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html */ toRotateKeyOnDemand(): this; /** * Controls permission to schedule deletion of an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifScheduleKeyDeletionPendingWindowInDays() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html */ toScheduleKeyDeletion(): this; /** * Controls permission to produce a digital signature for a message * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifMessageType() * - .ifRequestAlias() * - .ifSigningAlgorithm() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html */ toSign(): this; /** * Controls access to internal APIs that synchronize multi-Region keys * * Access Level: Write * * https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-auth.html#multi-region-auth-slr */ toSynchronizeMultiRegionKey(): this; /** * Controls permission to create or update tags that are attached to an AWS KMS key * * Access Level: Tagging * * Possible conditions: * - .ifAwsRequestTag() * - .ifAwsTagKeys() * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html */ toTagResource(): this; /** * Controls permission to delete tags that are attached to an AWS KMS key * * Access Level: Tagging * * Possible conditions: * - .ifAwsTagKeys() * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html */ toUntagResource(): this; /** * Controls permission to associate an alias with a different AWS KMS key. An alias is an optional friendly name that you can associate with a KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html */ toUpdateAlias(): this; /** * Controls permission to change the properties of a custom key store * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html */ toUpdateCustomKeyStore(): this; /** * Controls permission to delete or change the description of an AWS KMS key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateKeyDescription.html */ toUpdateKeyDescription(): this; /** * Controls permission to update the primary Region of a multi-Region primary key * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifPrimaryRegion() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html */ toUpdatePrimaryRegion(): this; /** * Controls permission to use the specified AWS KMS key to verify digital signatures * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifMessageType() * - .ifRequestAlias() * - .ifSigningAlgorithm() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html */ toVerify(): this; /** * Controls permission to use the AWS KMS key to verify message authentication codes * * Access Level: Write * * Possible conditions: * - .ifCallerAccount() * - .ifMacAlgorithm() * - .ifRequestAlias() * - .ifViaService() * * https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html */ toVerifyMac(): this; protected accessLevelList: AccessLevelList; /** * Adds a resource of type alias to the statement * * https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept * * @param alias - Identifier for the alias. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. */ onAlias(alias: string, account?: string, region?: string, partition?: string): this; /** * Adds a resource of type key to the statement * * https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys * * @param keyId - Identifier for the keyId. * @param account - Account of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's account. * @param region - Region of the resource; defaults to `*`, unless using the CDK, where the default is the current Stack's region. * @param partition - Partition of the AWS account [aws, aws-cn, aws-us-gov]; defaults to `aws`, unless using the CDK, where the default is the current Stack's partition. * * Possible conditions: * - .ifAwsResourceTag() * - .ifKeyOrigin() * - .ifKeySpec() * - .ifKeyUsage() * - .ifMultiRegion() * - .ifMultiRegionKeyType() * - .ifResourceAliases() */ onKey(keyId: string, account?: string, region?: string, partition?: string): this; /** * Filters access to the specified AWS KMS operations based on both the key and value of the tag in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag * * Applies to actions: * - .toCreateKey() * - .toTagResource() * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsRequestTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access to the specified AWS KMS operations based on tags assigned to the AWS KMS key * * https://docs.aws.amazon.com/kms/latest/developerguide/tag-authorization.html * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param tagKey The tag key to check * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsResourceTag(tagKey: string, value: string | string[], operator?: Operator | string): this; /** * Filters access to the specified AWS KMS operations based on tag keys in the request * * https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys * * Applies to actions: * - .toCreateKey() * - .toTagResource() * - .toUntagResource() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifAwsTagKeys(value: string | string[], operator?: Operator | string): this; /** * Filters access to the CreateKey and PutKeyPolicy operations based on the value of the BypassPolicyLockoutSafetyCheck parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-bypass-policy-lockout-safety-check * * Applies to actions: * - .toCreateKey() * - .toPutKeyPolicy() * * @param value `true` or `false`. **Default:** `true` */ ifBypassPolicyLockoutSafetyCheck(value?: boolean): this; /** * Filters access to specified AWS KMS operations based on the AWS account ID of the caller. You can use this condition key to allow or deny access to all IAM users and roles in an AWS account in a single policy statement * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-caller-account * * Applies to actions: * - .toCancelKeyDeletion() * - .toConnectCustomKeyStore() * - .toCreateAlias() * - .toCreateCustomKeyStore() * - .toCreateGrant() * - .toCreateKey() * - .toDecrypt() * - .toDeleteAlias() * - .toDeleteCustomKeyStore() * - .toDeleteImportedKeyMaterial() * - .toDeriveSharedSecret() * - .toDescribeCustomKeyStores() * - .toDescribeKey() * - .toDisableKey() * - .toDisableKeyRotation() * - .toDisconnectCustomKeyStore() * - .toEnableKey() * - .toEnableKeyRotation() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toGenerateMac() * - .toGetKeyPolicy() * - .toGetKeyRotationStatus() * - .toGetParametersForImport() * - .toGetPublicKey() * - .toImportKeyMaterial() * - .toListGrants() * - .toListKeyPolicies() * - .toListKeyRotations() * - .toListResourceTags() * - .toPutKeyPolicy() * - .toReEncryptFrom() * - .toReEncryptTo() * - .toReplicateKey() * - .toRetireGrant() * - .toRevokeGrant() * - .toRotateKeyOnDemand() * - .toScheduleKeyDeletion() * - .toSign() * - .toTagResource() * - .toUntagResource() * - .toUpdateAlias() * - .toUpdateCustomKeyStore() * - .toUpdateKeyDescription() * - .toUpdatePrimaryRegion() * - .toVerify() * - .toVerifyMac() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifCallerAccount(value: string | string[], operator?: Operator | string): this; /** * The kms:CustomerMasterKeySpec condition key is deprecated. Instead, use the kms:KeySpec condition key * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec-replaced * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifCustomerMasterKeySpec(value: string | string[], operator?: Operator | string): this; /** * The kms:CustomerMasterKeyUsage condition key is deprecated. Instead, use the kms:KeyUsage condition key * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage-replaced * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifCustomerMasterKeyUsage(value: string | string[], operator?: Operator | string): this; /** * Filters access to GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext operations based on the value of the KeyPairSpec parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-data-key-pair-spec * * Applies to actions: * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifDataKeyPairSpec(value: string | string[], operator?: Operator | string): this; /** * Filters access to encryption operations based on the value of the encryption algorithm in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-algorithm * * Applies to actions: * - .toDecrypt() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toReEncryptFrom() * - .toReEncryptTo() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifEncryptionAlgorithm(value: string | string[], operator?: Operator | string): this; /** * Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition evaluates the key and value in each key-value encryption context pair * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context * * Applies to actions: * - .toCreateGrant() * - .toDecrypt() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toReEncryptFrom() * - .toReEncryptTo() * - .toRetireGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifEncryptionContext(value: string | string[], operator?: Operator | string): this; /** * Filters access to a symmetric AWS KMS key based on the encryption context in a cryptographic operation. This condition key evaluates only the key in each key-value encryption context pair * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-encryption-context-keys * * Applies to actions: * - .toCreateGrant() * - .toDecrypt() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toReEncryptFrom() * - .toReEncryptTo() * - .toRetireGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifEncryptionContextKeys(value: string | string[], operator?: Operator | string): this; /** * Filters access to the ImportKeyMaterial operation based on the value of the ExpirationModel parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-expiration-model * * Applies to actions: * - .toImportKeyMaterial() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifExpirationModel(value: string | string[], operator?: Operator | string): this; /** * Filters access to the CreateGrant operation based on the grant constraint in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-constraint-type * * Applies to actions: * - .toCreateGrant() * - .toRetireGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifGrantConstraintType(value: string | string[], operator?: Operator | string): this; /** * Filters access to the CreateGrant operation when the request comes from a specified AWS service * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-is-for-aws-resource * * Applies to actions: * - .toCreateGrant() * - .toListGrants() * - .toRevokeGrant() * * @param value `true` or `false`. **Default:** `true` */ ifGrantIsForAWSResource(value?: boolean): this; /** * Filters access to the CreateGrant operation based on the operations in the grant * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grant-operations * * Applies to actions: * - .toCreateGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifGrantOperations(value: string | string[], operator?: Operator | string): this; /** * Filters access to the CreateGrant operation based on the grantee principal in the grant * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-grantee-principal * * Applies to actions: * - .toCreateGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifGranteePrincipal(value: string | string[], operator?: Operator | string): this; /** * Filters access to the DeriveSharedSecret operation based on the value of the KeyAgreementAlgorithm parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-agreement-algorithm * * Applies to actions: * - .toDeriveSharedSecret() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifKeyAgreementAlgorithm(value: string | string[], operator?: Operator | string): this; /** * Filters access to an API operation based on the Origin property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-origin * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifKeyOrigin(value: string | string[], operator?: Operator | string): this; /** * Filters access to an API operation based on the KeySpec property of the AWS KMS key that is created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-spec * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifKeySpec(value: string | string[], operator?: Operator | string): this; /** * Filters access to an API operation based on the KeyUsage property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-key-usage * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifKeyUsage(value: string | string[], operator?: Operator | string): this; /** * Filters access to the GenerateMac and VerifyMac operations based on the MacAlgorithm parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-mac-algorithm * * Applies to actions: * - .toGenerateMac() * - .toVerifyMac() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifMacAlgorithm(value: string | string[], operator?: Operator | string): this; /** * Filters access to the Sign and Verify operations based on the value of the MessageType parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-message-type * * Applies to actions: * - .toSign() * - .toVerify() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifMessageType(value: string | string[], operator?: Operator | string): this; /** * Filters access to an API operation based on the MultiRegion property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param value `true` or `false`. **Default:** `true` */ ifMultiRegion(value?: boolean): this; /** * Filters access to an API operation based on the MultiRegionKeyType property of the AWS KMS key created by or used in the operation. Use it to qualify authorization of the CreateKey operation or any operation that is authorized for a KMS key resource * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-multi-region-key-type * * Applies to actions: * - .toCreateKey() * * Applies to resource types: * - key * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifMultiRegionKeyType(value: string | string[], operator?: Operator | string): this; /** * Filters access to the UpdatePrimaryRegion operation based on the value of the PrimaryRegion parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-primary-region * * Applies to actions: * - .toUpdatePrimaryRegion() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifPrimaryRegion(value: string | string[], operator?: Operator | string): this; /** * Filters access to the ReEncrypt operation when it uses the same AWS KMS key that was used for the Encrypt operation * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-reencrypt-on-same-key * * Applies to actions: * - .toReEncryptFrom() * - .toReEncryptTo() * * @param value `true` or `false`. **Default:** `true` */ ifReEncryptOnSameKey(value?: boolean): this; /** * Filters access by the platform configuration register (PCR) 9 in the attestation document in the request. PCR9 is a custom PCR that can be defined by the user for specific use cases * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-enclaves.html#conditions-kms-recipient-pcrs * * Applies to actions: * - .toDecrypt() * - .toDeriveSharedSecret() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateRandom() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifRecipientAttestation(value: string | string[], operator?: Operator | string): this; /** * Filters access to the ReplicateKey operation based on the value of the ReplicaRegion parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-replica-region * * Applies to actions: * - .toReplicateKey() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifReplicaRegion(value: string | string[], operator?: Operator | string): this; /** * Filters access to cryptographic operations, DescribeKey, and GetPublicKey based on the alias in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-request-alias * * Applies to actions: * - .toDecrypt() * - .toDeriveSharedSecret() * - .toDescribeKey() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toGenerateMac() * - .toGetPublicKey() * - .toReEncryptFrom() * - .toReEncryptTo() * - .toSign() * - .toVerify() * - .toVerifyMac() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifRequestAlias(value: string | string[], operator?: Operator | string): this; /** * Filters access to specified AWS KMS operations based on aliases associated with the AWS KMS key * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-resource-aliases * * Applies to resource types: * - key * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifResourceAliases(value: string | string[], operator?: Operator | string): this; /** * Filters access to the CreateGrant operation based on the retiring principal in the grant * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-retiring-principal * * Applies to actions: * - .toCreateGrant() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifRetiringPrincipal(value: string | string[], operator?: Operator | string): this; /** * Filters access to the EnableKeyRotation operation based on the value of the RotationPeriodInDays parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days * * Applies to actions: * - .toEnableKeyRotation() * * @param value The value(s) to check * @param operator Works with [numeric operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Numeric). **Default:** `NumericEquals` */ ifRotationPeriodInDays(value: number | number[], operator?: Operator | string): this; /** * Filters access to the ScheduleKeyDeletion operation based on the value of the PendingWindowInDays parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-schedule-key-deletion-pending-window-in-days * * Applies to actions: * - .toScheduleKeyDeletion() * * @param value The value(s) to check * @param operator Works with [numeric operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Numeric). **Default:** `NumericEquals` */ ifScheduleKeyDeletionPendingWindowInDays(value: number | number[], operator?: Operator | string): this; /** * Filters access to the Sign and Verify operations based on the signing algorithm in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-signing-algorithm * * Applies to actions: * - .toSign() * - .toVerify() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifSigningAlgorithm(value: string | string[], operator?: Operator | string): this; /** * Filters access to the ImportKeyMaterial operation based on the value of the ValidTo parameter in the request. You can use this condition key to allow users to import key material only when it expires by the specified date * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-valid-to * * Applies to actions: * - .toImportKeyMaterial() * * @param value The value(s) to check * @param operator Works with [date operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Date). **Default:** `DateEquals` */ ifValidTo(value: Date | string | (Date | string)[], operator?: Operator | string): this; /** * Filters access when a request made on the principal's behalf comes from a specified AWS service * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service * * Applies to actions: * - .toCancelKeyDeletion() * - .toCreateAlias() * - .toCreateGrant() * - .toCreateKey() * - .toDecrypt() * - .toDeleteAlias() * - .toDeleteImportedKeyMaterial() * - .toDeriveSharedSecret() * - .toDescribeKey() * - .toDisableKey() * - .toDisableKeyRotation() * - .toEnableKey() * - .toEnableKeyRotation() * - .toEncrypt() * - .toGenerateDataKey() * - .toGenerateDataKeyPair() * - .toGenerateDataKeyPairWithoutPlaintext() * - .toGenerateDataKeyWithoutPlaintext() * - .toGenerateMac() * - .toGetKeyPolicy() * - .toGetKeyRotationStatus() * - .toGetParametersForImport() * - .toGetPublicKey() * - .toImportKeyMaterial() * - .toListGrants() * - .toListKeyPolicies() * - .toListKeyRotations() * - .toListResourceTags() * - .toPutKeyPolicy() * - .toReEncryptFrom() * - .toReEncryptTo() * - .toReplicateKey() * - .toRetireGrant() * - .toRevokeGrant() * - .toRotateKeyOnDemand() * - .toScheduleKeyDeletion() * - .toSign() * - .toTagResource() * - .toUntagResource() * - .toUpdateAlias() * - .toUpdateKeyDescription() * - .toUpdatePrimaryRegion() * - .toVerify() * - .toVerifyMac() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifViaService(value: string | string[], operator?: Operator | string): this; /** * Filters access to the GetParametersForImport operation based on the value of the WrappingAlgorithm parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-algorithm * * Applies to actions: * - .toGetParametersForImport() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifWrappingAlgorithm(value: string | string[], operator?: Operator | string): this; /** * Filters access to the GetParametersForImport operation based on the value of the WrappingKeySpec parameter in the request * * https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-wrapping-key-spec * * Applies to actions: * - .toGetParametersForImport() * * @param value The value(s) to check * @param operator Works with [string operators](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_String). **Default:** `StringLike` */ ifWrappingKeySpec(value: string | string[], operator?: Operator | string): this; /** * Statement provider for service [kms](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html). * */ constructor(props?: iam.PolicyStatementProps); }