Top / Amazon Web Service / AWS KMS / Replica Key

AWS KMS Replica Key

This page shows how to write Terraform and CloudFormation for AWS KMS Replica Key and write them securely.

terraform-logo

Review your .tf file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

aws_replica_kms_key (Terraform)

The Replica Key in AWS KMS can be configured in Terraform with the resource name aws_replica_kms_key. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

An example could not be found in GitHub.

Review your Terraform file for AWS best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

The following arguments are supported:

  • bypass_policy_lockout_safety_check - (Optional) A flag to indicate whether to bypass the key policy lockout safety check. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. The default value is false.
  • deletion_window_in_days - (Optional) The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key. If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30.
  • description - (Optional) A description of the KMS key.
  • enabled - (Optional) Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is true.
  • policy - (Optional) The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key. For more information about building policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • primary_key_arn - (Required) The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
  • tags - (Optional) A map of tags to assign to the replica key. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

In addition to all arguments above, the following attributes are exported:

  • arn - The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
  • key_id - The key ID of the replica key. Related multi-Region keys have the same key ID.
  • key_rotation_enabled - A Boolean value that specifies whether key rotation is enabled. This is a shared property of multi-Region keys.
  • key_spec - The type of key material in the KMS key. This is a shared property of multi-Region keys.
  • key_usage - The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
  • tags_all - A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

>> from Terraform Registry

Explanation in Terraform Registry

Manages a KMS multi-Region replica key.

>> from Terraform Registry

AWS::KMS::ReplicaKey (CloudFormation)

The ReplicaKey in KMS can be configured in CloudFormation with the resource name AWS::KMS::ReplicaKey. The following sections describe 1 example of how to use the resource and its parameters.

Example Usage from GitHub

template.json#L1031
    "AWS::KMS::ReplicaKey": {
      "Type": "AWS::KMS::ReplicaKey",
      "Properties": {}
    },
    "AWS::Location::TrackerConsumer": {
      "Type": "AWS::Location::TrackerConsumer",

Parameters

>> from AWS CloudFormation Documentation

Explanation in CloudFormation Registry

The AWS::KMS::ReplicaKey resource specifies a multi-Region replica key that is based on a multi-Region primary key.

Multi-Region keys are an AWS KMS feature that lets you create multiple interoperable KMS keys in different AWS Regions. Because these KMS keys have the same key ID, key material, and other metadata, you can use them to encrypt data in one AWS Region and decrypt it in a different AWS Region without making a cross-Region call or exposing the plaintext data. For more information, see Using multi-Region keys in the AWS Key Management Service Developer Guide.

A multi-Region primary key is a fully functional symmetric or asymmetric KMS key that is also the model for replica keys in other AWS Regions. To create a multi-Region primary key, add an AWS::KMS::Key resource to your CloudFormation stack. Set its MultiRegion property to true.

A multi-Region replica key is a fully functional symmetric or asymmetric KMS key that has the same key ID and key material as a multi-Region primary key, but is located in a different AWS Region of the same AWS partition. There can be multiple replicas of a primary key, but each must be in a different AWS Region .

A primary key and its replicas have the same key ID and key material. They also have the same key spec, key usage, key material origin, and automatic key rotation status. These properties are known as shared properties. If they change, AWS KMS synchronizes the change to all related multi-Region keys. All other properties of a replica key can differ, including its key policy, tags, aliases, and key state. AWS KMS does not synchronize these properties.

>> from AWS CloudFormation Documentation

The Other Related AWS KMS Resources

Frequently asked questions

What is AWS KMS Replica Key?

AWS KMS Replica Key is a resource for KMS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS KMS Replica Key?

For CloudFormation, the mhlabs/aws-icons-directory source code example is useful. See the CloudFormation Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents