amazonka-kms-1.3.3: Amazon Key Management Service SDK.

Copyright(c) 2013-2015 Brendan Hay
LicenseMozilla Public License, v. 2.0.
MaintainerBrendan Hay <brendan.g.hay@gmail.com>
Stabilityauto-generated
Portabilitynon-portable (GHC extensions)
Safe HaskellNone
LanguageHaskell2010

Network.AWS.KMS

Contents

Description

AWS Key Management Service

AWS Key Management Service (KMS) is an encryption and key management web service. This guide describes the KMS actions that you can call programmatically. For general information about KMS, see the AWS Key Management Service Developer Guide

AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .Net, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to KMS and AWS. For example, the SDKs take care of tasks such as signing requests (see below), managing errors, and retrying requests automatically. For more information about the AWS SDKs, including how to download and install them, see Tools for Amazon Web Services.

We recommend that you use the AWS SDKs to make programmatic API calls to KMS.

Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS 1.2. Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.

Signing Requests

Requests must be signed by using an access key ID and a secret access key. We strongly recommend that you do not use your AWS account access key ID and secret key for everyday work with KMS. Instead, use the access key ID and secret access key for an IAM user, or you can use the AWS Security Token Service to generate temporary security credentials that you can use to sign requests.

All KMS operations require Signature Version 4.

Recording API Requests

KMS supports AWS CloudTrail, a service that records AWS API calls and related events for your AWS account and delivers them to an Amazon S3 bucket that you specify. By using the information collected by CloudTrail, you can determine what requests were made to KMS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide

Additional Resources

For more information about credentials and request signing, see the following:

Commonly Used APIs

Of the APIs discussed in this guide, the following will prove the most useful for most applications. You will likely perform actions other than these, such as creating keys and assigning policies, by using the console.

  • Encrypt
  • Decrypt
  • GenerateDataKey
  • GenerateDataKeyWithoutPlaintext

See: AWS API Reference

Synopsis

Service Configuration

kMS :: Service Source

API version '2014-11-01' of the Amazon Key Management Service SDK configuration.

Errors

Error matchers are designed for use with the functions provided by Control.Exception.Lens. This allows catching (and rethrowing) service specific errors returned by KMS.

InvalidMarkerException

_InvalidMarkerException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the marker that specifies where pagination should next begin is not valid.

InvalidKeyUsageException

_InvalidKeyUsageException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the specified KeySpec parameter is not valid. The currently supported value is ENCRYPT/DECRYPT.

MalformedPolicyDocumentException

_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the specified policy is not syntactically or semantically correct.

UnsupportedOperationException

_UnsupportedOperationException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because a specified parameter is not supported.

DisabledException

_DisabledException :: AsError a => Getting (First ServiceError) a ServiceError Source

A request was rejected because the specified key was marked as disabled.

KeyUnavailableException

_KeyUnavailableException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the key was disabled, not found, or otherwise not available.

KMSInternalException

_KMSInternalException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because an internal exception occurred. This error can be retried.

NotFoundException

_NotFoundException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the specified entity or resource could not be found.

InvalidAliasNameException

_InvalidAliasNameException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the specified alias name is not valid.

InvalidGrantTokenException

_InvalidGrantTokenException :: AsError a => Getting (First ServiceError) a ServiceError Source

A grant token provided as part of the request is invalid.

InvalidARNException

_InvalidARNException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because a specified ARN was not valid.

DependencyTimeoutException

_DependencyTimeoutException :: AsError a => Getting (First ServiceError) a ServiceError Source

The system timed out while trying to fulfill the request.

InvalidCiphertextException

_InvalidCiphertextException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because the specified ciphertext has been corrupted or is otherwise invalid.

AlreadyExistsException

_AlreadyExistsException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because it attempted to create a resource that already exists.

LimitExceededException

_LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError Source

The request was rejected because a quota was exceeded.

Waiters

Waiters poll by repeatedly sending a request until some remote success condition configured by the Wait specification is fulfilled. The Wait specification determines how many attempts should be made, in addition to delay and retry strategies.

Operations

Some AWS operations return results that are incomplete and require subsequent requests in order to obtain the entire result set. The process of sending subsequent requests to continue where a previous request left off is called pagination. For example, the ListObjects operation of Amazon S3 returns up to 1000 objects at a time, and you must send subsequent requests with the appropriate Marker in order to retrieve the next page of results.

Operations that have an AWSPager instance can transparently perform subsequent requests, correctly setting Markers and other request facets to iterate through the entire result set of a truncated API operation. Operations which support this have an additional note in the documentation.

Many operations have the ability to filter results on the server side. See the individual operation parameters for details.

Encrypt

module Network.AWS.KMS.Encrypt

ListGrants

module Network.AWS.KMS.ListGrants

DisableKeyRotation

module Network.AWS.KMS.DisableKeyRotation

GenerateDataKeyWithoutPlaintext

module Network.AWS.KMS.GenerateDataKeyWithoutPlaintext

EnableKeyRotation

module Network.AWS.KMS.EnableKeyRotation

CreateAlias

module Network.AWS.KMS.CreateAlias

CreateGrant

module Network.AWS.KMS.CreateGrant

ListAliases

module Network.AWS.KMS.ListAliases

GenerateRandom

module Network.AWS.KMS.GenerateRandom

CreateKey

module Network.AWS.KMS.CreateKey

DisableKey

module Network.AWS.KMS.DisableKey

RetireGrant

module Network.AWS.KMS.RetireGrant

ListKeys

module Network.AWS.KMS.ListKeys

GetKeyRotationStatus

module Network.AWS.KMS.GetKeyRotationStatus

GenerateDataKey

module Network.AWS.KMS.GenerateDataKey

DeleteAlias

module Network.AWS.KMS.DeleteAlias

UpdateAlias

module Network.AWS.KMS.UpdateAlias

DescribeKey

module Network.AWS.KMS.DescribeKey

Decrypt

module Network.AWS.KMS.Decrypt

UpdateKeyDescription

module Network.AWS.KMS.UpdateKeyDescription

ReEncrypt

module Network.AWS.KMS.ReEncrypt

ListKeyPolicies

module Network.AWS.KMS.ListKeyPolicies

PutKeyPolicy

module Network.AWS.KMS.PutKeyPolicy

EnableKey

module Network.AWS.KMS.EnableKey

RevokeGrant

module Network.AWS.KMS.RevokeGrant

GetKeyPolicy

module Network.AWS.KMS.GetKeyPolicy

Types

DataKeySpec

data DataKeySpec Source

Constructors

AES128 
AES256 

Instances

GrantOperation

data GrantOperation Source

Constructors

CreateGrant 
Decrypt 
Encrypt 
GenerateDataKey 
GenerateDataKeyWithoutPlaintext 
ReEncryptFrom 
ReEncryptTo 
RetireGrant 

Instances

KeyUsageType

data KeyUsageType Source

Constructors

EncryptDecrypt 

Instances

AliasListEntry

data AliasListEntry Source

Contains information about an alias.

See: aliasListEntry smart constructor.

Instances

aliasListEntry :: AliasListEntry Source

Creates a value of AliasListEntry with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

aleTargetKeyId :: Lens' AliasListEntry (Maybe Text) Source

String that contains the key identifier pointed to by the alias.

aleAliasName :: Lens' AliasListEntry (Maybe Text) Source

String that contains the alias.

aleAliasARN :: Lens' AliasListEntry (Maybe Text) Source

String that contains the key ARN.

GrantConstraints

data GrantConstraints Source

Contains constraints on the grant.

See: grantConstraints smart constructor.

Instances

grantConstraints :: GrantConstraints Source

Creates a value of GrantConstraints with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

gcEncryptionContextEquals :: Lens' GrantConstraints (HashMap Text Text) Source

The constraint contains additional key/value pairs that serve to further limit the grant.

gcEncryptionContextSubset :: Lens' GrantConstraints (HashMap Text Text) Source

The constraint equals the full encryption context.

GrantListEntry

data GrantListEntry Source

Contains information about each entry in the grant list.

See: grantListEntry smart constructor.

Instances

grantListEntry :: GrantListEntry Source

Creates a value of GrantListEntry with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

gleRetiringPrincipal :: Lens' GrantListEntry (Maybe Text) Source

The principal that can retire the account.

gleIssuingAccount :: Lens' GrantListEntry (Maybe Text) Source

The account under which the grant was issued.

gleGrantId :: Lens' GrantListEntry (Maybe Text) Source

Unique grant identifier.

gleConstraints :: Lens' GrantListEntry (Maybe GrantConstraints) Source

Specifies the conditions under which the actions specified by the Operations parameter are allowed.

gleGranteePrincipal :: Lens' GrantListEntry (Maybe Text) Source

The principal that receives the grant permission.

gleOperations :: Lens' GrantListEntry [GrantOperation] Source

List of operations permitted by the grant. This can be any combination of one or more of the following values:

  1. Decrypt
  2. Encrypt
  3. GenerateDataKey
  4. GenerateDataKeyWithoutPlaintext
  5. ReEncryptFrom
  6. ReEncryptTo
  7. CreateGrant

KeyListEntry

data KeyListEntry Source

Contains information about each entry in the key list.

See: keyListEntry smart constructor.

Instances

keyListEntry :: KeyListEntry Source

Creates a value of KeyListEntry with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

kleKeyId :: Lens' KeyListEntry (Maybe Text) Source

Unique identifier of the key.

kleKeyARN :: Lens' KeyListEntry (Maybe Text) Source

ARN of the key.

KeyMetadata

data KeyMetadata Source

Contains metadata associated with a specific key.

See: keyMetadata smart constructor.

Instances

keyMetadata Source

Arguments

:: Text

kmKeyId

-> KeyMetadata 

Creates a value of KeyMetadata with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

kmEnabled :: Lens' KeyMetadata (Maybe Bool) Source

Value that specifies whether the key is enabled.

kmARN :: Lens' KeyMetadata (Maybe Text) Source

Key ARN (Amazon Resource Name).

kmAWSAccountId :: Lens' KeyMetadata (Maybe Text) Source

Account ID number.

kmKeyUsage :: Lens' KeyMetadata (Maybe KeyUsageType) Source

A value that specifies what operation(s) the key can perform.

kmCreationDate :: Lens' KeyMetadata (Maybe UTCTime) Source

Date the key was created.

kmDescription :: Lens' KeyMetadata (Maybe Text) Source

The description of the key.

kmKeyId :: Lens' KeyMetadata Text Source

Unique identifier for the key.