Metadata-Version: 2.1
Name: aws-cdk.aws-kms
Version: 1.58.0
Summary: CDK Constructs for AWS KMS
Home-page: https://github.com/aws/aws-cdk
Author: Amazon Web Services
License: Apache-2.0
Project-URL: Source, https://github.com/aws/aws-cdk.git
Description: ## AWS Key Management Service Construct Library
        
        <!--BEGIN STABILITY BANNER-->---
        
        
        ![cfn-resources: Stable](https://img.shields.io/badge/cfn--resources-stable-success.svg?style=for-the-badge)
        
        ![cdk-constructs: Stable](https://img.shields.io/badge/cdk--constructs-stable-success.svg?style=for-the-badge)
        
        ---
        <!--END STABILITY BANNER-->
        
        Define a KMS key:
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        import aws_cdk.aws_kms as kms
        
        kms.Key(self, "MyKey",
            enable_key_rotation=True
        )
        ```
        
        Add a couple of aliases:
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        key = kms.Key(self, "MyKey")
        key.add_alias("alias/foo")
        key.add_alias("alias/bar")
        ```
        
        ### Sharing keys between stacks
        
        > see Trust Account Identities for additional details
        
        To use a KMS key in a different stack in the same CDK application,
        pass the construct to the other stack:
        
        ```python
        # Example automatically generated. See https://github.com/aws/jsii/issues/826
        #
        # Stack that defines the key
        #
        class KeyStack(cdk.Stack):
        
            def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None):
                super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection)
                self.key = kms.Key(self, "MyKey", removal_policy=cdk.RemovalPolicy.DESTROY)
        
        #
        # Stack that uses the key
        #
        class UseStack(cdk.Stack):
            def __init__(self, scope, id, *, key, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None):
                super().__init__(scope, id, key=key, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection)
        
                # Use the IKey object here.
                kms.Alias(self, "Alias",
                    alias_name="alias/foo",
                    target_key=key
                )
        
        key_stack = KeyStack(app, "KeyStack")
        UseStack(app, "UseStack", key=key_stack.key)
        ```
        
        ### Importing existing keys
        
        > see Trust Account Identities for additional details
        
        To use a KMS key that is not defined in this CDK app, but is created through other means, use
        `Key.fromKeyArn(parent, name, ref)`:
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        my_key_imported = kms.Key.from_key_arn(self, "MyImportedKey", "arn:aws:...")
        
        # you can do stuff with this imported key.
        my_key_imported.add_alias("alias/foo")
        ```
        
        Note that a call to `.addToPolicy(statement)` on `myKeyImported` will not have
        an affect on the key's policy because it is not owned by your stack. The call
        will be a no-op.
        
        If a Key has an associated Alias, the Alias can be imported by name and used in place
        of the Key as a reference. A common scenario for this is in referencing AWS managed keys.
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        my_key_alias = kms.Alias.from_alias_name(self, "myKey", "alias/aws/s3")
        trail = cloudtrail.Trail(self, "myCloudTrail",
            send_to_cloud_watch_logs=True,
            kms_key=my_key_alias
        )
        ```
        
        Note that calls to `addToResourcePolicy` and `grant*` methods on `myKeyAlias` will be
        no-ops, and `addAlias` and `aliasTargetKey` will fail, as the imported alias does not
        have a reference to the underlying KMS Key.
        
        ### Trust Account Identities
        
        KMS keys can be created to trust IAM policies. This is the default behavior in
        the console and is described
        [here](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
        This same behavior can be enabled by:
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        Key(stack, "MyKey", trust_account_identities=True)
        ```
        
        Using `trustAccountIdentities` solves many issues around cyclic dependencies
        between stacks. The most common use case is creating an S3 Bucket with CMK
        default encryption which is later accessed by IAM roles in other stacks.
        
        stack-1 (bucket and key created)
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        # ... snip
        my_kms_key = kms.Key(self, "MyKey", trust_account_identities=True)
        
        bucket = Bucket(self, "MyEncryptedBucket",
            bucket_name="myEncryptedBucket",
            encryption=BucketEncryption.KMS,
            encryption_key=my_kms_key
        )
        ```
        
        stack-2 (lambda that operates on bucket and key)
        
        ```python
        # Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
        # ... snip
        
        fn = lambda.Function(self, "MyFunction",
            runtime=lambda.Runtime.NODEJS_10_X,
            handler="index.handler",
            code=lambda.Code.from_asset(path.join(__dirname, "lambda-handler"))
        )
        
        bucket = s3.Bucket.from_bucket_name(self, "BucketId", "myEncryptedBucket")
        
        key = kms.Key.from_key_arn(self, "KeyId", "arn:aws:...")# key ARN passed via stack props
        
        bucket.grant_read_write(fn)
        key.grant_encrypt_decrypt(fn)
        ```
        
        The challenge in this scenario is the KMS key policy behavior. The simple way to understand
        this, is IAM policies for account entities can only grant the permissions granted to the
        account root principle in the key policy. When `trustAccountIdentities` is true,
        the following policy statement is added:
        
        ```json
        {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
          "Action": "kms:*",
          "Resource": "*"
        }
        ```
        
        As the name suggests this trusts IAM policies to control access to the key.
        If account root does not have permissions to the specific actions, then the key
        policy and the IAM policy for the entity (e.g. Lambda) both need to grant
        permission.
        
Platform: UNKNOWN
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: JavaScript
Classifier: Programming Language :: Python :: 3 :: Only
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Classifier: Typing :: Typed
Classifier: Development Status :: 5 - Production/Stable
Classifier: License :: OSI Approved
Requires-Python: >=3.6
Description-Content-Type: text/markdown
