You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(client-kms): This release includes feature to import customer's asymmetric (RSA and ECC) and HMAC keys into KMS. It also includes feature to allow customers to specify number of days to schedule a KMS key deletion as a policy condition key.
* <p>To import your own key material into a KMS key, begin by creating a symmetric
124
-
* encryption KMS key with no key material. To do this, use the <code>Origin</code>
125
-
* parameter of <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use
126
-
* <a>GetParametersForImport</a> operation to get a public key and import
127
-
* token, and use the public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For
128
-
* step-by-step instructions, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
117
+
* <p>To import your own key material into a KMS key, begin by creating a KMS key with no
118
+
* key material. To do this, use the <code>Origin</code> parameter of
119
+
* <code>CreateKey</code> with a value of <code>EXTERNAL</code>. Next, use <a>GetParametersForImport</a> operation to get a public key and import token. Use
120
+
* the wrapping public key to encrypt your key material. Then, use <a>ImportKeyMaterial</a> with your import token to import the key material. For step-by-step instructions, see
121
+
* <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a> in the <i>
129
122
* <i>Key Management Service Developer Guide</i>
130
123
* </i>.</p>
131
-
* <p>This feature supports only symmetric encryption KMS keys, including multi-Region
132
-
* symmetric encryption KMS keys. You cannot import key material into any other type of KMS
133
-
* key.</p>
124
+
* <p>You can import key material into KMS keys of all supported KMS key types: symmetric
* <p>Deletes key material that you previously imported. This operation makes the specified KMS
40
-
* key unusable. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
41
-
* in the <i>Key Management Service Developer Guide</i>. </p>
39
+
* <p>Deletes key material that was previously imported. This operation makes the specified KMS
40
+
* key temporarily unusable. To restore the usability of the KMS key, reimport the same key
41
+
* material. For more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing Key Material</a>
42
+
* in the <i>Key Management Service Developer Guide</i>.</p>
42
43
* <p>When the specified KMS key is in the <code>PendingDeletion</code> state, this operation
43
44
* does not change the KMS key's state. Otherwise, it changes the KMS key's state to
44
45
* <code>PendingImport</code>.</p>
45
-
* <p>After you delete key material, you can use <a>ImportKeyMaterial</a> to reimport
46
-
* the same key material into the KMS key.</p>
47
46
* <p>The KMS key that you use for this operation must be in a compatible key state. For
48
47
* details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
* <p>Returns the items you need to import key material into a symmetric encryption KMS key. For
44
-
* more information about importing key material into KMS, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html">Importing key material</a> in the
45
-
* <i>Key Management Service Developer Guide</i>.</p>
46
-
* <p>This operation returns a public key and an import token. Use the public key to encrypt the
47
-
* symmetric key material. Store the import token to send with a subsequent <a>ImportKeyMaterial</a> request.</p>
48
-
* <p>You must specify the key ID of the symmetric encryption KMS key into which you will import
49
-
* key material. The KMS key <code>Origin</code> must be <code>EXTERNAL</code>. You must also
50
-
* specify the wrapping algorithm and type of wrapping key (public key) that you will use to
51
-
* encrypt the key material. You cannot perform this operation on an asymmetric KMS key, an HMAC KMS key, or on any KMS key in a different Amazon Web Services account.</p>
52
-
* <p>To import key material, you must use the public key and import token from the same
53
-
* response. These items are valid for 24 hours. The expiration date and time appear in the
54
-
* <code>GetParametersForImport</code> response. You cannot use an expired token in an <a>ImportKeyMaterial</a> request. If your key and token expire, send another
* material</a> in the <i>Key Management Service Developer Guide</i>.</p>
51
+
* <p>Before calling <code>GetParametersForImport</code>, use the <a>CreateKey</a>
52
+
* operation with an <code>Origin</code> value of <code>EXTERNAL</code> to create a KMS key with
53
+
* no key material. You can import key material for a symmetric encryption KMS key, HMAC KMS key,
54
+
* asymmetric encryption KMS key, or asymmetric signing KMS key. You can also import key material
55
+
* into a <a href="kms/latest/developerguide/multi-region-keys-overview.html">multi-Region key</a> of
56
+
* any supported type. However, you can't import key material into a KMS key in a <a href="kms/latest/developerguide/custom-key-store-overview.html">custom key store</a>. You can also use
57
+
* <code>GetParametersForImport</code> to get a public key and import token to <a href="kms/latest/developerguide/importing-keys.html#reimport-key-material">reimport the original key material</a> into a KMS key whose key material expired or was
58
+
* deleted.</p>
59
+
* <p>
60
+
* <code>GetParametersForImport</code> returns the items that you need to import your key
61
+
* material.</p>
62
+
* <ul>
63
+
* <li>
64
+
* <p>The public key (or "wrapping key") of an RSA key pair that KMS generates.</p>
65
+
* <p>You will use this public key to encrypt ("wrap") your key material while it's in
66
+
* transit to KMS. </p>
67
+
* </li>
68
+
* <li>
69
+
* <p>A import token that ensures that KMS can decrypt your key material and associate it with the correct KMS key.</p>
70
+
* </li>
71
+
* </ul>
72
+
* <p>The public key and its import token are permanently linked and must be used together. Each
73
+
* public key and import token set is valid for 24 hours. The expiration date and time appear in
74
+
* the <code>ParametersValidTo</code> field in the <code>GetParametersForImport</code> response.
75
+
* You cannot use an expired public key or import token in an <a>ImportKeyMaterial</a>
76
+
* request. If your key and token expire, send another <code>GetParametersForImport</code>
77
+
* request.</p>
78
+
* <p>
79
+
* <code>GetParametersForImport</code> requires the following information:</p>
80
+
* <ul>
81
+
* <li>
82
+
* <p>The key ID of the KMS key for which you are importing the key material.</p>
83
+
* </li>
84
+
* <li>
85
+
* <p>The key spec of the public key ("wrapping key") that you will use to encrypt your key
86
+
* material during import.</p>
87
+
* </li>
88
+
* <li>
89
+
* <p>The wrapping algorithm that you will use with the public key to encrypt your key
90
+
* material.</p>
91
+
* </li>
92
+
* </ul>
93
+
* <p>You can use the same or a different public key spec and wrapping algorithm each time you
94
+
* import or reimport the same key material. </p>
56
95
* <p>The KMS key that you use for this operation must be in a compatible key state. For
57
96
* details, see <a href="https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html">Key states of KMS keys</a> in the <i>Key Management Service Developer Guide</i>.</p>
0 commit comments