| Copyright | (c) 2013-2021 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
Amazonka.KMS.Types.GrantConstraints
Description
Documentation
data GrantConstraints Source #
Use this structure to allow cryptographic operations in the grant only when the operation request includes the specified encryption context.
KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a symmetric KMS key. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with asymmetric KMS keys and management operations, such as DescribeKey or RetireGrant.
In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.
However, in a grant constraint, the key in each key-value pair is not case sensitive, but the value is case sensitive.
To avoid confusion, do not use multiple encryption context pairs that
differ only by case. To require a fully case-sensitive encryption
context, use the kms:EncryptionContext: and
kms:EncryptionContextKeys conditions in an IAM or key policy. For
details, see
kms:EncryptionContext:
in the /Key Management Service Developer Guide/ .
See: newGrantConstraints smart constructor.
Constructors
| GrantConstraints' | |
Fields
| |
Instances
newGrantConstraints :: GrantConstraints Source #
Create a value of GrantConstraints with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:encryptionContextEquals:GrantConstraints', grantConstraints_encryptionContextEquals - A list of key-value pairs that must match the encryption context in the
cryptographic operation
request. The grant allows the operation only when the encryption context
in the request is the same as the encryption context specified in this
constraint.
$sel:encryptionContextSubset:GrantConstraints', grantConstraints_encryptionContextSubset - A list of key-value pairs that must be included in the encryption
context of the
cryptographic operation
request. The grant allows the cryptographic operation only when the
encryption context in the request includes the key-value pairs specified
in this constraint, although it can include additional key-value pairs.
grantConstraints_encryptionContextEquals :: Lens' GrantConstraints (Maybe (HashMap Text Text)) Source #
A list of key-value pairs that must match the encryption context in the cryptographic operation request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.
grantConstraints_encryptionContextSubset :: Lens' GrantConstraints (Maybe (HashMap Text Text)) Source #
A list of key-value pairs that must be included in the encryption context of the cryptographic operation request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.