Copyright | (c) 2013-2015 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay <brendan.g.hay@gmail.com> |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | None |
Language | Haskell2010 |
- Service
- Errors
- InvalidMarkerException
- InvalidKeyUsageException
- UnsupportedOperationException
- MalformedPolicyDocumentException
- DisabledException
- KeyUnavailableException
- KMSInternalException
- NotFoundException
- InvalidAliasNameException
- InvalidARNException
- DependencyTimeoutException
- InvalidGrantTokenException
- InvalidCiphertextException
- LimitExceededException
- AlreadyExistsException
- Waiters
- Operations
- DisableKeyRotation
- GenerateDataKeyWithoutPlaintext
- ListGrants
- Encrypt
- EnableKeyRotation
- CreateGrant
- CreateAlias
- ListAliases
- GenerateRandom
- DisableKey
- CreateKey
- RetireGrant
- ListKeys
- GetKeyRotationStatus
- GenerateDataKey
- DeleteAlias
- UpdateAlias
- DescribeKey
- Decrypt
- UpdateKeyDescription
- ReEncrypt
- ListKeyPolicies
- EnableKey
- PutKeyPolicy
- RevokeGrant
- GetKeyPolicy
- Types
AWS Key Management Service
AWS Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS actions that you can call programmatically. For general information about KMS, see the AWS Key Management Service Developer Guide
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and AWS. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.
We recommend that you use the AWS SDKs to make programmatic API calls to KMS.
Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Signing Requests
Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do not use your AWS account access key ID and secret key for everyday work with KMS. Instead, use the access key ID and secret access key for an IAM user, or you can use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests.
All KMS operations require Signature Version 4.
Recording API Requests
KMS supports AWS CloudTrail, a service that records AWS API calls and related events for your AWS account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide
Additional Resources
For more information about credentials and request signing, see the following:
- AWS Security Credentials. This topic provides general information about the types of credentials used for accessing AWS.
- AWS Security Token Service. This guide describes how to create and use temporary security credentials.
- Signing AWS API Requests. This set of topics walks you through the process of signing a request using an access key ID and a secret access key.
Commonly Used APIs
Of the APIs discussed in this guide, the following will prove the most useful for most applications. You will likely perform actions other than these, such as creating keys and assigning policies, by using the console.
- Encrypt
- Decrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
See: AWS API Reference
- data KMS
- _InvalidMarkerException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidKeyUsageException :: AsError a => Getting (First ServiceError) a ServiceError
- _UnsupportedOperationException :: AsError a => Getting (First ServiceError) a ServiceError
- _MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
- _DisabledException :: AsError a => Getting (First ServiceError) a ServiceError
- _KeyUnavailableException :: AsError a => Getting (First ServiceError) a ServiceError
- _KMSInternalException :: AsError a => Getting (First ServiceError) a ServiceError
- _NotFoundException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidAliasNameException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidARNException :: AsError a => Getting (First ServiceError) a ServiceError
- _DependencyTimeoutException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidGrantTokenException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidCiphertextException :: AsError a => Getting (First ServiceError) a ServiceError
- _LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError
- _AlreadyExistsException :: AsError a => Getting (First ServiceError) a ServiceError
- module Network.AWS.KMS.DisableKeyRotation
- module Network.AWS.KMS.GenerateDataKeyWithoutPlaintext
- module Network.AWS.KMS.ListGrants
- module Network.AWS.KMS.Encrypt
- module Network.AWS.KMS.EnableKeyRotation
- module Network.AWS.KMS.CreateGrant
- module Network.AWS.KMS.CreateAlias
- module Network.AWS.KMS.ListAliases
- module Network.AWS.KMS.GenerateRandom
- module Network.AWS.KMS.DisableKey
- module Network.AWS.KMS.CreateKey
- module Network.AWS.KMS.RetireGrant
- module Network.AWS.KMS.ListKeys
- module Network.AWS.KMS.GetKeyRotationStatus
- module Network.AWS.KMS.GenerateDataKey
- module Network.AWS.KMS.DeleteAlias
- module Network.AWS.KMS.UpdateAlias
- module Network.AWS.KMS.DescribeKey
- module Network.AWS.KMS.Decrypt
- module Network.AWS.KMS.UpdateKeyDescription
- module Network.AWS.KMS.ReEncrypt
- module Network.AWS.KMS.ListKeyPolicies
- module Network.AWS.KMS.EnableKey
- module Network.AWS.KMS.PutKeyPolicy
- module Network.AWS.KMS.RevokeGrant
- module Network.AWS.KMS.GetKeyPolicy
- data DataKeySpec
- data GrantOperation
- data KeyUsageType = EncryptDecrypt
- data AliasListEntry
- aliasListEntry :: AliasListEntry
- aleTargetKeyId :: Lens' AliasListEntry (Maybe Text)
- aleAliasName :: Lens' AliasListEntry (Maybe Text)
- aleAliasARN :: Lens' AliasListEntry (Maybe Text)
- data GrantConstraints
- grantConstraints :: GrantConstraints
- gcEncryptionContextEquals :: Lens' GrantConstraints (HashMap Text Text)
- gcEncryptionContextSubset :: Lens' GrantConstraints (HashMap Text Text)
- data GrantListEntry
- grantListEntry :: GrantListEntry
- gleRetiringPrincipal :: Lens' GrantListEntry (Maybe Text)
- gleIssuingAccount :: Lens' GrantListEntry (Maybe Text)
- gleGrantId :: Lens' GrantListEntry (Maybe Text)
- gleConstraints :: Lens' GrantListEntry (Maybe GrantConstraints)
- gleGranteePrincipal :: Lens' GrantListEntry (Maybe Text)
- gleOperations :: Lens' GrantListEntry [GrantOperation]
- data KeyListEntry
- keyListEntry :: KeyListEntry
- kleKeyARN :: Lens' KeyListEntry (Maybe Text)
- kleKeyId :: Lens' KeyListEntry (Maybe Text)
- data KeyMetadata
- keyMetadata :: Text -> KeyMetadata
- kmARN :: Lens' KeyMetadata (Maybe Text)
- kmEnabled :: Lens' KeyMetadata (Maybe Bool)
- kmAWSAccountId :: Lens' KeyMetadata (Maybe Text)
- kmKeyUsage :: Lens' KeyMetadata (Maybe KeyUsageType)
- kmCreationDate :: Lens' KeyMetadata (Maybe UTCTime)
- kmDescription :: Lens' KeyMetadata (Maybe Text)
- kmKeyId :: Lens' KeyMetadata Text
Service
Version 2014-11-01
of the Amazon Key Management Service SDK.
Errors
Error matchers are designed for use with the functions provided by
Control.Exception.Lens.
This allows catching (and rethrowing) service specific errors returned
by KMS
.
InvalidMarkerException
_InvalidMarkerException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the marker that specifies where pagination should next begin is not valid.
InvalidKeyUsageException
_InvalidKeyUsageException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the specified KeySpec parameter is not valid. The currently supported value is ENCRYPT/DECRYPT.
UnsupportedOperationException
_UnsupportedOperationException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because a specified parameter is not supported.
MalformedPolicyDocumentException
_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the specified policy is not syntactically or semantically correct.
DisabledException
_DisabledException :: AsError a => Getting (First ServiceError) a ServiceError Source
A request was rejected because the specified key was marked as disabled.
KeyUnavailableException
_KeyUnavailableException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the key was disabled, not found, or otherwise not available.
KMSInternalException
_KMSInternalException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because an internal exception occurred. This error can be retried.
NotFoundException
_NotFoundException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the specified entity or resource could not be found.
InvalidAliasNameException
_InvalidAliasNameException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the specified alias name is not valid.
InvalidARNException
_InvalidARNException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because a specified ARN was not valid.
DependencyTimeoutException
_DependencyTimeoutException :: AsError a => Getting (First ServiceError) a ServiceError Source
The system timed out while trying to fulfill the request.
InvalidGrantTokenException
_InvalidGrantTokenException :: AsError a => Getting (First ServiceError) a ServiceError Source
A grant token provided as part of the request is invalid.
InvalidCiphertextException
_InvalidCiphertextException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid.
LimitExceededException
_LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because a quota was exceeded.
AlreadyExistsException
_AlreadyExistsException :: AsError a => Getting (First ServiceError) a ServiceError Source
The request was rejected because it attempted to create a resource that already exists.
Waiters
Waiters poll by repeatedly sending a request until some remote success condition
configured by the Wait
specification is fulfilled. The Wait
specification
determines how many attempts should be made, in addition to delay and retry strategies.
Operations
Some AWS operations return results that are incomplete and require subsequent
requests in order to obtain the entire result set. The process of sending
subsequent requests to continue where a previous request left off is called
pagination. For example, the ListObjects
operation of Amazon S3 returns up to
1000 objects at a time, and you must send subsequent requests with the
appropriate Marker in order to retrieve the next page of results.
Operations that have an AWSPager
instance can transparently perform subsequent
requests, correctly setting Markers and other request facets to iterate through
the entire result set of a truncated API operation. Operations which support
this have an additional note in the documentation.
Many operations have the ability to filter results on the server side. See the individual operation parameters for details.
DisableKeyRotation
GenerateDataKeyWithoutPlaintext
ListGrants
module Network.AWS.KMS.ListGrants
Encrypt
module Network.AWS.KMS.Encrypt
EnableKeyRotation
CreateGrant
module Network.AWS.KMS.CreateGrant
CreateAlias
module Network.AWS.KMS.CreateAlias
ListAliases
module Network.AWS.KMS.ListAliases
GenerateRandom
DisableKey
module Network.AWS.KMS.DisableKey
CreateKey
module Network.AWS.KMS.CreateKey
RetireGrant
module Network.AWS.KMS.RetireGrant
ListKeys
module Network.AWS.KMS.ListKeys
GetKeyRotationStatus
GenerateDataKey
DeleteAlias
module Network.AWS.KMS.DeleteAlias
UpdateAlias
module Network.AWS.KMS.UpdateAlias
DescribeKey
module Network.AWS.KMS.DescribeKey
Decrypt
module Network.AWS.KMS.Decrypt
UpdateKeyDescription
ReEncrypt
module Network.AWS.KMS.ReEncrypt
ListKeyPolicies
EnableKey
module Network.AWS.KMS.EnableKey
PutKeyPolicy
module Network.AWS.KMS.PutKeyPolicy
RevokeGrant
module Network.AWS.KMS.RevokeGrant
GetKeyPolicy
module Network.AWS.KMS.GetKeyPolicy
Types
DataKeySpec
data DataKeySpec Source
GrantOperation
data GrantOperation Source
CreateGrant | |
Decrypt | |
Encrypt | |
GenerateDataKey | |
GenerateDataKeyWithoutPlaintext | |
ReEncryptFrom | |
ReEncryptTo | |
RetireGrant |
KeyUsageType
data KeyUsageType Source
AliasListEntry
data AliasListEntry Source
Contains information about an alias.
See: aliasListEntry
smart constructor.
aliasListEntry :: AliasListEntry Source
Creates a value of AliasListEntry
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
aleTargetKeyId :: Lens' AliasListEntry (Maybe Text) Source
String that contains the key identifier pointed to by the alias.
aleAliasName :: Lens' AliasListEntry (Maybe Text) Source
String that contains the alias.
aleAliasARN :: Lens' AliasListEntry (Maybe Text) Source
String that contains the key ARN.
GrantConstraints
data GrantConstraints Source
Contains constraints on the grant.
See: grantConstraints
smart constructor.
grantConstraints :: GrantConstraints Source
Creates a value of GrantConstraints
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
gcEncryptionContextEquals :: Lens' GrantConstraints (HashMap Text Text) Source
The constraint contains additional key/value pairs that serve to further limit the grant.
gcEncryptionContextSubset :: Lens' GrantConstraints (HashMap Text Text) Source
The constraint equals the full encryption context.
GrantListEntry
data GrantListEntry Source
Contains information about each entry in the grant list.
See: grantListEntry
smart constructor.
grantListEntry :: GrantListEntry Source
Creates a value of GrantListEntry
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
gleRetiringPrincipal :: Lens' GrantListEntry (Maybe Text) Source
The principal that can retire the account.
gleIssuingAccount :: Lens' GrantListEntry (Maybe Text) Source
The account under which the grant was issued.
gleGrantId :: Lens' GrantListEntry (Maybe Text) Source
Unique grant identifier.
gleConstraints :: Lens' GrantListEntry (Maybe GrantConstraints) Source
Specifies the conditions under which the actions specified by the
Operations
parameter are allowed.
gleGranteePrincipal :: Lens' GrantListEntry (Maybe Text) Source
The principal that receives the grant permission.
gleOperations :: Lens' GrantListEntry [GrantOperation] Source
List of operations permitted by the grant. This can be any combination of one or more of the following values:
- Decrypt
- Encrypt
- GenerateDataKey
- GenerateDataKeyWithoutPlaintext
- ReEncryptFrom
- ReEncryptTo
- CreateGrant
KeyListEntry
data KeyListEntry Source
Contains information about each entry in the key list.
See: keyListEntry
smart constructor.
keyListEntry :: KeyListEntry Source
Creates a value of KeyListEntry
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
KeyMetadata
data KeyMetadata Source
Contains metadata associated with a specific key.
See: keyMetadata
smart constructor.
:: Text | |
-> KeyMetadata |
Creates a value of KeyMetadata
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
kmAWSAccountId :: Lens' KeyMetadata (Maybe Text) Source
Account ID number.
kmKeyUsage :: Lens' KeyMetadata (Maybe KeyUsageType) Source
A value that specifies what operation(s) the key can perform.
kmCreationDate :: Lens' KeyMetadata (Maybe UTCTime) Source
Date the key was created.
kmDescription :: Lens' KeyMetadata (Maybe Text) Source
The description of the key.
kmKeyId :: Lens' KeyMetadata Text Source
Unique identifier for the key.