@aws-cdk/aws-kms

What is @aws-cdk/aws-kms?

@aws-cdk/aws-kms is an AWS CDK library that allows you to define and manage AWS Key Management Service (KMS) resources in your AWS infrastructure as code. It provides constructs for creating and managing KMS keys, aliases, and grants, enabling secure encryption and decryption of data.

What are @aws-cdk/aws-kms's main functionalities?

Create a KMS Key

This code sample demonstrates how to create a new KMS key with key rotation enabled and an alias using the AWS CDK.

const cdk = require('@aws-cdk/core');
const kms = require('@aws-cdk/aws-kms');

const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const key = new kms.Key(stack, 'MyKey', {
  enableKeyRotation: true,
  alias: 'alias/my-key'
});

app.synth();

Create a KMS Alias

This code sample demonstrates how to create a new KMS alias that points to an existing KMS key using the AWS CDK.

const cdk = require('@aws-cdk/core');
const kms = require('@aws-cdk/aws-kms');

const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const key = new kms.Key(stack, 'MyKey');

const alias = new kms.Alias(stack, 'MyAlias', {
  aliasName: 'alias/my-alias',
  targetKey: key
});

app.synth();

Grant Permissions to a KMS Key

This code sample demonstrates how to grant encrypt and decrypt permissions to an IAM user for a KMS key using the AWS CDK.

const cdk = require('@aws-cdk/core');
const kms = require('@aws-cdk/aws-kms');
const iam = require('@aws-cdk/aws-iam');

const app = new cdk.App();
const stack = new cdk.Stack(app, 'MyStack');

const key = new kms.Key(stack, 'MyKey');

const user = new iam.User(stack, 'MyUser');

key.grantEncryptDecrypt(user);

app.synth();

Other packages similar to @aws-cdk/aws-kms

aws-sdk

The aws-sdk package is the official AWS SDK for JavaScript, which provides a comprehensive set of tools for interacting with AWS services, including KMS. Unlike @aws-cdk/aws-kms, which is used for defining infrastructure as code, aws-sdk is used for making API calls to AWS services directly from your application code.

serverless

The serverless package is a framework for building and deploying serverless applications on AWS and other cloud providers. It includes support for managing AWS KMS keys as part of your serverless infrastructure. While it provides similar functionality for managing KMS keys, it is more focused on serverless architectures compared to the broader infrastructure management capabilities of @aws-cdk/aws-kms.

terraform

Terraform is an open-source infrastructure as code tool that allows you to define and manage cloud resources, including AWS KMS keys, using a declarative configuration language. It provides similar functionality to @aws-cdk/aws-kms but uses a different syntax and approach to infrastructure management.

README

AWS KMS Construct Library

Defines a KMS key:

new EncryptionKey(this, 'MyKey', {
    enableKeyRotation: true
});

Add a couple of aliases:

const key = new EncryptionKey(this, 'MyKey');
key.addAlias('alias/foo');
key.addAlias('alias/bar');

Importing and exporting keys

To use a KMS key that is not defined within this stack, use the EncryptionKey.import(parent, name, ref) factory method:

const key = EncryptionKey.import(this, 'MyImportedKey', {
    keyArn: new KeyArn('arn:aws:...')
});

// you can do stuff with this imported key.
key.addAlias('alias/foo');

To export a key from a stack and import it in another stack, use key.export which returns an EncryptionKeyRef, which can later be used to import:

// in stackA
const myKey = new EncryptionKey(stackA, 'MyKey');
const myKeyRef = myKey.export();

// meanwhile in stackB
const myKeyImported = EncryptionKey.import(stackB, 'MyKeyImported', myKeyRef);

Note that a call to .addToPolicy(statement) on myKeyImported will not have an affect on the key's policy because it is not owned by your stack. The call will be a no-op.

Changelog

0.9.0 -- 2018-09-10

The headliners of this release are .NET support, and a wealth of commits by external contributors who are stepping up to fix the CDK for their use cases! Thanks all for the effort put into this release!

Features

• Add strongly-named .NET targets, and a cdk init template for C# projects ([@mpiroc] in #617, #643).
• @aws-cdk/aws-autoscaling: Allow attaching additional security groups to Launch Configuration ([@moofish32] in #636).
• @aws-cdk/aws-autoscaling: Support update and creation policies on AutoScalingGroups ([@rix0rrr] in #595).
• @aws-cdk/aws-codebuild: Add support for running script from an asset ([@rix0rrr] in #677).
• @aws-cdk/aws-codebuild: New method addBuildToPipeline on Project ([@skinny85] in 783dcb3).
• @aws-cdk/aws-codecommit: New method addToPipeline on Repository ([@skinny85] in #616).
• @aws-cdk/aws-codedeploy: Add initial support for CodeDeploy ([@skinny85] in #593, #641).
• @aws-cdk/aws-dynamodb: Add support for DynamoDB autoscaling ([@SeekerWing] in #637).
• @aws-cdk/aws-dynamodb: Add support for DynamoDB streams ([@rhboyd] in #633).
• @aws-cdk/aws-dynamodb: Add support for server-side encryption ([@jungseoklee] in #684).
• @aws-cdk/aws-ec2 (BREAKING): SecurityGroup can now be used as a Connectable #582).
• @aws-cdk/aws-ec2: Add VPC tagging ([@moofish] in #538).
• @aws-cdk/aws-ec2: Add support for InstanceSize.Nano ([@rix0rrr] in #581)
• @aws-cdk/aws-lambda: Add support for dead letter queues ([@SeekerWing] in #663).
• @aws-cdk/aws-lambda: Add support for placing a Lambda in a VPC ([@rix0rrr] in #598).
• @aws-cdk/aws-logs: Add extractMetric() helper function ([@rix0rrr] in #676).
• @aws-cdk/aws-rds: Add support for Aurora PostreSQL/MySQL engines ([@cookejames] in #586)
• @aws-cdk/aws-s3: Additional grant methods for Buckets ([@eladb] in #591)
• @aws-cdk/aws-s3: New method addToPipeline on Bucket ([@skinny85] in c8b7a49).
• aws-cdk: Add support for HTTP proxies ([@rix0rrr] in #666).
• aws-cdk: Toolkit now shows failure reason if stack update fails ([@rix0rrr] in #609).
• cdk-build-tools: Add support for running experiment JSII versions ([@RomainMuller] in #649).

Changes

• BREAKING: Generate classes and types for the CloudFormation resource .ref attributes ([@rix0rrr] in #627).
• BREAKING: Make types accepted in Policy-related classes narrower (from any to Arn, for example) to reduce typing mistakes ([@rix0rrr] in #629).
• @aws-cdk/aws-codepipeline (BREAKING): Align the CodePipeline APIs ([@skinny85] in #492, #568)
• @aws-cdk/aws-ec2 (BREAKING): Move Fleet/AutoScalingGroup to its own package ([@rix0rrr] in #608).
• aws-cdk: Simplify plugin protocol ([@RomainMuller] in #646).

Bug Fixes

• @aws-cdk/aws-cloudfront: Fix CloudFront behavior for ViewerProtocolPolicy ([@mindstorms6] in #615).
• @aws-cdk/aws-ec2: VPC Placement now supports picking Isolated subnets ([@rix0rrr] in #610).
• @aws-cdk/aws-logs: Add export()/import() capabilities ([@rix0rrr] in #630).
• @aws-cdk/aws-rds: Fix a bug where a cluster with 1 instance could not be created ([@cookejames] in #578)
• @aws-cdk/aws-s3: Bucket notifications can now add dependencies, fixing creation order ([@eladb] in #584).
• @aws-cdk/aws-s3: Remove useless bucket name validation ([@rix0rrr] in #628).
• @aws-cdk/aws-sqs: Make QueueRef.encryptionMasterKey readonly ([@RomainMuller] in #650).
• assets: S3 read permissions are granted on a prefix to fix lost permissions during asset update ([@rix0rrr] in #510).
• aws-cdk: Remove bootstrapping error if multiple stacks are in the same environment ([@RomainMuller] in #625).
• aws-cdk: Report and continue if git throws errors during cdk init ([@rix0rrr] in #587).

CloudFormation Changes

• @aws-cdk/cfnspec: Updated [CloudFormation resource specification] to v2.6.0 ([@RomainMuller] in #594)

  • New AWS Construct Library

    • @aws-cdk/aws-sagemaker supports AWS::SageMaker resources

  • New Resource Types

    • AWS::AmazonMQ::Broker
    • AWS::AmazonMQ::Configuration
    • AWS::CodePipeline::Webhook
    • AWS::Config::AggregationAuthorization
    • AWS::Config::ConfigurationAggregator
    • AWS::EC2::VPCEndpointConnectionNotification
    • AWS::EC2::VPCEndpointServicePermissions
    • AWS::IAM::ServiceLinkedRole
    • AWS::SSM::ResourceDataSync
    • AWS::SageMaker::Endpoint
    • AWS::SageMaker::EndpointConfig
    • AWS::SageMaker::Model
    • AWS::SageMaker::NotebookInstance
    • AWS::SageMaker::NotebookInstanceLifecycleConfig

  • Attribute Changes

    • AWS::CodePipeline::Pipeline Version (added)

  • Property Changes

    • AWS::AppSync::DataSource HttpConfig (added)

    • AWS::DAX::Cluster SSESpecification (added)

    • AWS::DynamoDB::Table Stream (added)

    • AWS::DynamoDB::Table AutoScalingSupport (added)

    • AWS::EC2::VPCEndpoint IsPrivateDnsEnabled (added)

    • AWS::EC2::VPCEndpoint SecurityGroupIds (added)

    • AWS::EC2::VPCEndpoint SubnetIds (added)

    • AWS::EC2::VPCEndpoint VPCEndpointType (added)

    • AWS::EC2::VPCEndpoint RouteTableIds.DuplicatesAllowed (deleted)

    • AWS::EC2::VPCPeeringConnection PeerRegion (added)

    • AWS::EFS::FileSystem ProvisionedThroughputInMibps (added)

    • AWS::EFS::FileSystem ThroughputMode (added)

    • AWS::EMR::Cluster KerberosAttributes (added)

    • AWS::Glue::Classifier JsonClassifier (added)

    • AWS::Glue::Classifier XMLClassifier (added)

    • AWS::Glue::Crawler Configuration (added)

    • AWS::Lambda::Lambda DLQConfigurationSupport (added)

    • AWS::Neptune::DBInstance DBSubnetGroupName.UpdateType (changed)

      • Old: Mutable
      • New: Immutable

    • AWS::SNS::Subscription DeliveryPolicy (added)

    • AWS::SNS::Subscription FilterPolicy (added)

    • AWS::SNS::Subscription RawMessageDelivery (added)

    • AWS::SNS::Subscription Region (added)

    • AWS::SQS::Queue Tags (added)

    • AWS::ServiceDiscovery::Service HealthCheckCustomConfig (added)

  • Property Type Changes

    • AWS::AppSync::DataSource.HttpConfig (added)

    • AWS::DAX::Cluster.SSESpecification (added)

    • AWS::EMR::Cluster.KerberosAttributes (added)

    • AWS::Glue::Classifier.JsonClassifier (added)

    • AWS::Glue::Classifier.XMLClassifier (added)

    • AWS::ServiceDiscovery::Service.HealthCheckCustomConfig (added)

    • AWS::CloudFront::Distribution.CacheBehavior FieldLevelEncryptionId (added)

    • AWS::CloudFront::Distribution.DefaultCacheBehavior FieldLevelEncryptionId (added)

    • AWS::CodeBuild::Project.Artifacts EncryptionDisabled (added)

    • AWS::CodeBuild::Project.Artifacts OverrideArtifactName (added)

    • AWS::CodeBuild::Project.Environment Certificate (added)

    • AWS::CodeBuild::Project.Source ReportBuildStatus (added)

    • AWS::ServiceDiscovery::Service.DnsConfig RoutingPolicy (added)

    • AWS::WAF::WebACL.ActivatedRule Action.Required (changed)

      • Old: true
      • New: false

• @aws-cdk/cfnspec: Updated Serverless Application Model (SAM) Resource Specification ([@RomainMuller] in #594)

  • Property Changes

    • AWS::Serverless::Api MethodSettings (added)

  • Property Type Changes

    • AWS::Serverless::Function.SQSEvent (added)

    • AWS::Serverless::Function.EventSource Properties.Types (changed)

      • Added SQSEvent