AWSKMSReplicateKeyRequest

Objective-C

@interface AWSKMSReplicateKeyRequest

Swift

class AWSKMSReplicateKeyRequest
  • A flag to indicate whether to bypass the key policy lockout safety check.

    Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to true indiscriminately.

    For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.

    Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent PutKeyPolicy request on the CMK.

    The default value is false.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSNumber *_Nullable bypassPolicyLockoutSafetyCheck;

    Swift

    var bypassPolicyLockoutSafetyCheck: NSNumber? { get set }
  • A description of the CMK. Use a description that helps you decide whether the CMK is appropriate for a task. The default value is an empty string (no description).

    The description is not a shared property of multi-Region keys. You can specify the same description or a different description for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable detail;

    Swift

    var detail: String? { get set }
  • Identifies the multi-Region primary key that is being replicated. To determine whether a CMK is a multi-Region primary key, use the DescribeKey operation to check the value of the MultiRegionKeyType property.

    Specify the key ID or key ARN of a multi-Region primary key.

    For example:

    • Key ID: mrk-1234abcd12ab34cd56ef1234567890ab

    • Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab

    To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable keyId;

    Swift

    var keyId: String? { get set }
  • The key policy to attach to the CMK. This parameter is optional. If you do not provide a key policy, AWS KMS attaches the default key policy to the CMK.

    The key policy is not a shared property of multi-Region keys. You can specify the same key policy or a different key policy for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.

    If you provide a key policy, it must meet the following criteria:

    • If you don’t set BypassPolicyLockoutSafetyCheck to true, the key policy must give the caller kms:PutKeyPolicy permission on the replica CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section of the AWS Key Management Service Developer Guide.

    • Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see Changes that I make are not always immediately visible in the AWS Identity and Access Management User Guide.

    • The key policy size quota is 32 kilobytes (32768 bytes).

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable policy;

    Swift

    var policy: String? { get set }
  • The Region ID of the AWS Region for this replica key.

    Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of AWS Regions in which AWS KMS is supported, see AWS KMS service endpoints in the Amazon Web Services General Reference.

    The replica must be in a different AWS Region than its primary key and other replicas of that primary key, but in the same AWS partition. AWS KMS must be available in the replica Region. If the Region is not enabled by default, the AWS account must be enabled in the Region.

    For information about AWS partitions, see Amazon Resource Names (ARNs) in the Amazon Web Services General Reference. For information about enabling and disabling Regions, see Enabling a Region and Disabling a Region in the Amazon Web Services General Reference.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSString *_Nullable replicaRegion;

    Swift

    var replicaRegion: String? { get set }
  • Assigns one or more tags to the replica key. Use this parameter to tag the CMK when it is created. To tag an existing CMK, use the TagResource operation.

    Tagging or untagging a CMK can allow or deny permission to the CMK. For details, see Using ABAC in AWS KMS in the AWS Key Management Service Developer Guide.

    To use this parameter, you must have kms:TagResource permission in an IAM policy.

    Tags are not a shared property of multi-Region keys. You can specify the same tags or different tags for each key in a set of related multi-Region keys. AWS KMS does not synchronize this property.

    Each tag consists of a tag key and a tag value. Both the tag key and the tag value are required, but the tag value can be an empty (null) string. You cannot have more than one tag on a CMK with the same tag key. If you specify an existing tag key with a different tag value, AWS KMS replaces the current tag value with the specified one.

    When you assign tags to an AWS resource, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a CMK. For details, see Tagging Keys.

    Declaration

    Objective-C

    @property (nonatomic, strong) NSArray<AWSKMSTag *> *_Nullable tags;

    Swift

    var tags: [AWSKMSTag]? { get set }