{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.KMS.CreateKey -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Creates a unique customer managed -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys KMS key> -- in your Amazon Web Services account and Region. -- -- KMS is replacing the term /customer master key (CMK)/ with /KMS key/ and -- /KMS key/. The concept has not changed. To prevent breaking changes, KMS -- is keeping some variations of this term. -- -- You can use the @CreateKey@ operation to create symmetric or asymmetric -- KMS keys. -- -- - __Symmetric KMS keys__ contain a 256-bit symmetric key that never -- leaves KMS unencrypted. To use the KMS key, you must call KMS. You -- can use a symmetric KMS key to encrypt and decrypt small amounts of -- data, but they are typically used to generate -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys data keys> -- and -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs data keys pairs>. -- For details, see GenerateDataKey and GenerateDataKeyPair. -- -- - __Asymmetric KMS keys__ can contain an RSA key pair or an Elliptic -- Curve (ECC) key pair. The private key in an asymmetric KMS key never -- leaves KMS unencrypted. However, you can use the GetPublicKey -- operation to download the public key so it can be used outside of -- KMS. KMS keys with RSA key pairs can be used to encrypt or decrypt -- data or sign and verify messages (but not both). KMS keys with ECC -- key pairs can be used only to sign and verify messages. -- -- For information about symmetric and asymmetric KMS keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html Using Symmetric and Asymmetric KMS keys> -- in the /Key Management Service Developer Guide/. -- -- To create different types of KMS keys, use the following guidance: -- -- [Asymmetric KMS keys] -- To create an asymmetric KMS key, use the @KeySpec@ parameter to -- specify the type of key material in the KMS key. Then, use the -- @KeyUsage@ parameter to determine whether the KMS key will be used -- to encrypt and decrypt or sign and verify. You can\'t change these -- properties after the KMS key is created. -- -- [Symmetric KMS keys] -- When creating a symmetric KMS key, you don\'t need to specify the -- @KeySpec@ or @KeyUsage@ parameters. The default value for @KeySpec@, -- @SYMMETRIC_DEFAULT@, and the default value for @KeyUsage@, -- @ENCRYPT_DECRYPT@, are the only valid values for symmetric KMS keys. -- -- [Multi-Region primary keys -- Imported key material] -- To create a multi-Region /primary key/ in the local Amazon Web -- Services Region, use the @MultiRegion@ parameter with a value of -- @True@. To create a multi-Region /replica key/, that is, a KMS key -- with the same key ID and key material as a primary key, but in a -- different Amazon Web Services Region, use the ReplicateKey -- operation. To change a replica key to a primary key, and its primary -- key to a replica key, use the UpdatePrimaryRegion operation. -- -- This operation supports /multi-Region keys/, an KMS feature that -- lets you create multiple interoperable KMS keys in different Amazon -- Web Services Regions. Because these KMS keys have the same key ID, -- key material, and other metadata, you can use them interchangeably -- to encrypt data in one Amazon Web Services Region and decrypt it in -- a different Amazon Web Services Region without re-encrypting the -- data or making a cross-Region call. For more information about -- multi-Region keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Using multi-Region keys> -- in the /Key Management Service Developer Guide/. -- -- You can create symmetric and asymmetric multi-Region keys and -- multi-Region keys with imported key material. You cannot create -- multi-Region keys in a custom key store. -- -- To import your own key material, begin by creating a symmetric KMS -- key with no key material. To do this, use the @Origin@ parameter of -- @CreateKey@ with a value of @EXTERNAL@. Next, use -- GetParametersForImport operation to get a public key and import -- token, and use the public key to encrypt your key material. Then, -- use ImportKeyMaterial with your import token to import the key -- material. For step-by-step instructions, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Importing Key Material> -- in the //Key Management Service Developer Guide// . You cannot -- import the key material into an asymmetric KMS key. -- -- To create a multi-Region primary key with imported key material, use -- the @Origin@ parameter of @CreateKey@ with a value of @EXTERNAL@ and -- the @MultiRegion@ parameter with a value of @True@. To create -- replicas of the multi-Region primary key, use the ReplicateKey -- operation. For more information about multi-Region keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Using multi-Region keys> -- in the /Key Management Service Developer Guide/. -- -- [Custom key store] -- To create a symmetric KMS key in a -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store>, -- use the @CustomKeyStoreId@ parameter to specify the custom key -- store. You must also use the @Origin@ parameter with a value of -- @AWS_CLOUDHSM@. The CloudHSM cluster that is associated with the -- custom key store must have at least two active HSMs in different -- Availability Zones in the Amazon Web Services Region. -- -- You cannot create an asymmetric KMS key in a custom key store. For -- information about custom key stores in KMS see -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html Using Custom Key Stores> -- in the //Key Management Service Developer Guide// . -- -- __Cross-account use__: No. You cannot use this operation to create a KMS -- key in a different Amazon Web Services account. -- -- __Required permissions__: -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:CreateKey> -- (IAM policy). To use the @Tags@ parameter, -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:TagResource> -- (IAM policy). For examples and information about related permissions, -- see -- <https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key Allow a user to create KMS keys> -- in the /Key Management Service Developer Guide/. -- -- __Related operations:__ -- -- - DescribeKey -- -- - ListKeys -- -- - ScheduleKeyDeletion module Amazonka.KMS.CreateKey ( -- * Creating a Request CreateKey (..), newCreateKey, -- * Request Lenses createKey_origin, createKey_keySpec, createKey_customerMasterKeySpec, createKey_keyUsage, createKey_bypassPolicyLockoutSafetyCheck, createKey_policy, createKey_description, createKey_customKeyStoreId, createKey_tags, createKey_multiRegion, -- * Destructuring the Response CreateKeyResponse (..), newCreateKeyResponse, -- * Response Lenses createKeyResponse_keyMetadata, createKeyResponse_httpStatus, ) where import qualified Amazonka.Core as Core import Amazonka.KMS.Types import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response -- | /See:/ 'newCreateKey' smart constructor. data CreateKey = CreateKey' { -- | The source of the key material for the KMS key. You cannot change the -- origin after you create the KMS key. The default is @AWS_KMS@, which -- means that KMS creates the key material. -- -- To create a KMS key with no key material (for imported key material), -- set the value to @EXTERNAL@. For more information about importing key -- material into KMS, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Importing Key Material> -- in the /Key Management Service Developer Guide/. This value is valid -- only for symmetric KMS keys. -- -- To create a KMS key in an KMS -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and create its key material in the associated CloudHSM cluster, set this -- value to @AWS_CLOUDHSM@. You must also use the @CustomKeyStoreId@ -- parameter to identify the custom key store. This value is valid only for -- symmetric KMS keys. CreateKey -> Maybe OriginType origin :: Prelude.Maybe OriginType, -- | Specifies the type of KMS key to create. The default value, -- @SYMMETRIC_DEFAULT@, creates a KMS key with a 256-bit symmetric key for -- encryption and decryption. For help choosing a key spec for your KMS -- key, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html How to Choose Your KMS key Configuration> -- in the //Key Management Service Developer Guide// . -- -- The @KeySpec@ determines whether the KMS key contains a symmetric key or -- an asymmetric key pair. It also determines the encryption algorithms or -- signing algorithms that the KMS key supports. You can\'t change the -- @KeySpec@ after the KMS key is created. To further restrict the -- algorithms that can be used with the KMS key, use a condition key in its -- key policy or IAM policy. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm kms:EncryptionAlgorithm> -- or -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm kms:Signing Algorithm> -- in the //Key Management Service Developer Guide// . -- -- <http://aws.amazon.com/kms/features/#AWS_Service_Integration Amazon Web Services services that are integrated with KMS> -- use symmetric KMS keys to protect your data. These services do not -- support asymmetric KMS keys. For help determining whether a KMS key is -- symmetric or asymmetric, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html Identifying Symmetric and Asymmetric KMS keys> -- in the /Key Management Service Developer Guide/. -- -- KMS supports the following key specs for KMS keys: -- -- - Symmetric key (default) -- -- - @SYMMETRIC_DEFAULT@ (AES-256-GCM) -- -- - Asymmetric RSA key pairs -- -- - @RSA_2048@ -- -- - @RSA_3072@ -- -- - @RSA_4096@ -- -- - Asymmetric NIST-recommended elliptic curve key pairs -- -- - @ECC_NIST_P256@ (secp256r1) -- -- - @ECC_NIST_P384@ (secp384r1) -- -- - @ECC_NIST_P521@ (secp521r1) -- -- - Other asymmetric elliptic curve key pairs -- -- - @ECC_SECG_P256K1@ (secp256k1), commonly used for -- cryptocurrencies. CreateKey -> Maybe KeySpec keySpec :: Prelude.Maybe KeySpec, -- | Instead, use the @KeySpec@ parameter. -- -- The @KeySpec@ and @CustomerMasterKeySpec@ parameters work the same way. -- Only the names differ. We recommend that you use @KeySpec@ parameter in -- your code. However, to avoid breaking changes, KMS will support both -- parameters. CreateKey -> Maybe CustomerMasterKeySpec customerMasterKeySpec :: Prelude.Maybe CustomerMasterKeySpec, -- | Determines the -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations> -- for which you can use the KMS key. The default value is -- @ENCRYPT_DECRYPT@. This parameter is required only for asymmetric KMS -- keys. You can\'t change the @KeyUsage@ value after the KMS key is -- created. -- -- Select only one valid value. -- -- - For symmetric KMS keys, omit the parameter or specify -- @ENCRYPT_DECRYPT@. -- -- - For asymmetric KMS keys with RSA key material, specify -- @ENCRYPT_DECRYPT@ or @SIGN_VERIFY@. -- -- - For asymmetric KMS keys with ECC key material, specify -- @SIGN_VERIFY@. CreateKey -> Maybe KeyUsageType keyUsage :: Prelude.Maybe KeyUsageType, -- | A flag to indicate whether to bypass the key policy lockout safety -- check. -- -- Setting this value to true increases the risk that the KMS key becomes -- unmanageable. Do not set this value to true indiscriminately. -- -- For more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section in the //Key Management Service Developer Guide// . -- -- Use this parameter only when you include a policy in the request and you -- intend to prevent the principal that is making the request from making a -- subsequent PutKeyPolicy request on the KMS key. -- -- The default value is false. CreateKey -> Maybe Bool bypassPolicyLockoutSafetyCheck :: Prelude.Maybe Prelude.Bool, -- | The key policy to attach to the KMS key. -- -- If you provide a key policy, it must meet the following criteria: -- -- - If you don\'t set @BypassPolicyLockoutSafetyCheck@ to true, the key -- policy must allow the principal that is making the @CreateKey@ -- request to make a subsequent PutKeyPolicy request on the KMS key. -- This reduces the risk that the KMS key becomes unmanageable. For -- more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section of the //Key Management Service Developer Guide// . -- -- - Each statement in the key policy must contain one or more -- principals. The principals in the key policy must exist and be -- visible to KMS. When you create a new Amazon Web Services principal -- (for example, an IAM user or role), you might need to enforce a -- delay before including the new principal in a key policy because the -- new principal might not be immediately visible to KMS. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency Changes that I make are not always immediately visible> -- in the /Amazon Web Services Identity and Access Management User -- Guide/. -- -- If you do not provide a key policy, KMS attaches a default key policy to -- the KMS key. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default Default Key Policy> -- in the /Key Management Service Developer Guide/. -- -- The key policy size quota is 32 kilobytes (32768 bytes). -- -- For help writing and formatting a JSON policy document, see the -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html IAM JSON Policy Reference> -- in the //Identity and Access Management User Guide// . CreateKey -> Maybe Text policy :: Prelude.Maybe Prelude.Text, -- | A description of the KMS key. -- -- Use a description that helps you decide whether the KMS key is -- appropriate for a task. The default value is an empty string (no -- description). -- -- To set or change the description after the key is created, use -- UpdateKeyDescription. CreateKey -> Maybe Text description :: Prelude.Maybe Prelude.Text, -- | Creates the KMS key in the specified -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and the key material in its associated CloudHSM cluster. To create a KMS -- key in a custom key store, you must also specify the @Origin@ parameter -- with a value of @AWS_CLOUDHSM@. The CloudHSM cluster that is associated -- with the custom key store must have at least two active HSMs, each in a -- different Availability Zone in the Region. -- -- This parameter is valid only for symmetric KMS keys and regional KMS -- keys. You cannot create an asymmetric KMS key or a multi-Region key in a -- custom key store. -- -- To find the ID of a custom key store, use the DescribeCustomKeyStores -- operation. -- -- The response includes the custom key store ID and the ID of the CloudHSM -- cluster. -- -- This operation is part of the -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html Custom Key Store feature> -- feature in KMS, which combines the convenience and extensive integration -- of KMS with the isolation and control of a single-tenant key store. CreateKey -> Maybe Text customKeyStoreId :: Prelude.Maybe Prelude.Text, -- | Assigns one or more tags to the KMS key. Use this parameter to tag the -- KMS key when it is created. To tag an existing KMS key, use the -- TagResource operation. -- -- Tagging or untagging a KMS key can allow or deny permission to the KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Using ABAC in KMS> -- in the /Key Management Service Developer Guide/. -- -- To use this parameter, you must have -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:TagResource> -- permission in an IAM policy. -- -- Each tag consists of a tag key and a tag value. Both the tag key and the -- tag value are required, but the tag value can be an empty (null) string. -- You cannot have more than one tag on a KMS key with the same tag key. If -- you specify an existing tag key with a different tag value, KMS replaces -- the current tag value with the specified one. -- -- When you add tags to an Amazon Web Services resource, Amazon Web -- Services generates a cost allocation report with usage and costs -- aggregated by tags. Tags can also be used to control access to a KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html Tagging Keys>. :: Prelude.Maybe [Tag], -- | Creates a multi-Region primary key that you can replicate into other -- Amazon Web Services Regions. You cannot change this value after you -- create the KMS key. -- -- For a multi-Region key, set this parameter to @True@. For a -- single-Region KMS key, omit this parameter or set it to @False@. The -- default value is @False@. -- -- This operation supports /multi-Region keys/, an KMS feature that lets -- you create multiple interoperable KMS keys in different Amazon Web -- Services Regions. Because these KMS keys have the same key ID, key -- material, and other metadata, you can use them interchangeably to -- encrypt data in one Amazon Web Services Region and decrypt it in a -- different Amazon Web Services Region without re-encrypting the data or -- making a cross-Region call. For more information about multi-Region -- keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Using multi-Region keys> -- in the /Key Management Service Developer Guide/. -- -- This value creates a /primary key/, not a replica. To create a /replica -- key/, use the ReplicateKey operation. -- -- You can create a symmetric or asymmetric multi-Region key, and you can -- create a multi-Region key with imported key material. However, you -- cannot create a multi-Region key in a custom key store. CreateKey -> Maybe Bool multiRegion :: Prelude.Maybe Prelude.Bool } deriving (CreateKey -> CreateKey -> Bool (CreateKey -> CreateKey -> Bool) -> (CreateKey -> CreateKey -> Bool) -> Eq CreateKey forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: CreateKey -> CreateKey -> Bool $c/= :: CreateKey -> CreateKey -> Bool == :: CreateKey -> CreateKey -> Bool $c== :: CreateKey -> CreateKey -> Bool Prelude.Eq, ReadPrec [CreateKey] ReadPrec CreateKey Int -> ReadS CreateKey ReadS [CreateKey] (Int -> ReadS CreateKey) -> ReadS [CreateKey] -> ReadPrec CreateKey -> ReadPrec [CreateKey] -> Read CreateKey forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [CreateKey] $creadListPrec :: ReadPrec [CreateKey] readPrec :: ReadPrec CreateKey $creadPrec :: ReadPrec CreateKey readList :: ReadS [CreateKey] $creadList :: ReadS [CreateKey] readsPrec :: Int -> ReadS CreateKey $creadsPrec :: Int -> ReadS CreateKey Prelude.Read, Int -> CreateKey -> ShowS [CreateKey] -> ShowS CreateKey -> String (Int -> CreateKey -> ShowS) -> (CreateKey -> String) -> ([CreateKey] -> ShowS) -> Show CreateKey forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [CreateKey] -> ShowS $cshowList :: [CreateKey] -> ShowS show :: CreateKey -> String $cshow :: CreateKey -> String showsPrec :: Int -> CreateKey -> ShowS $cshowsPrec :: Int -> CreateKey -> ShowS Prelude.Show, (forall x. CreateKey -> Rep CreateKey x) -> (forall x. Rep CreateKey x -> CreateKey) -> Generic CreateKey forall x. Rep CreateKey x -> CreateKey forall x. CreateKey -> Rep CreateKey x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep CreateKey x -> CreateKey $cfrom :: forall x. CreateKey -> Rep CreateKey x Prelude.Generic) -- | -- Create a value of 'CreateKey' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'origin', 'createKey_origin' - The source of the key material for the KMS key. You cannot change the -- origin after you create the KMS key. The default is @AWS_KMS@, which -- means that KMS creates the key material. -- -- To create a KMS key with no key material (for imported key material), -- set the value to @EXTERNAL@. For more information about importing key -- material into KMS, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Importing Key Material> -- in the /Key Management Service Developer Guide/. This value is valid -- only for symmetric KMS keys. -- -- To create a KMS key in an KMS -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and create its key material in the associated CloudHSM cluster, set this -- value to @AWS_CLOUDHSM@. You must also use the @CustomKeyStoreId@ -- parameter to identify the custom key store. This value is valid only for -- symmetric KMS keys. -- -- 'keySpec', 'createKey_keySpec' - Specifies the type of KMS key to create. The default value, -- @SYMMETRIC_DEFAULT@, creates a KMS key with a 256-bit symmetric key for -- encryption and decryption. For help choosing a key spec for your KMS -- key, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html How to Choose Your KMS key Configuration> -- in the //Key Management Service Developer Guide// . -- -- The @KeySpec@ determines whether the KMS key contains a symmetric key or -- an asymmetric key pair. It also determines the encryption algorithms or -- signing algorithms that the KMS key supports. You can\'t change the -- @KeySpec@ after the KMS key is created. To further restrict the -- algorithms that can be used with the KMS key, use a condition key in its -- key policy or IAM policy. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm kms:EncryptionAlgorithm> -- or -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm kms:Signing Algorithm> -- in the //Key Management Service Developer Guide// . -- -- <http://aws.amazon.com/kms/features/#AWS_Service_Integration Amazon Web Services services that are integrated with KMS> -- use symmetric KMS keys to protect your data. These services do not -- support asymmetric KMS keys. For help determining whether a KMS key is -- symmetric or asymmetric, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html Identifying Symmetric and Asymmetric KMS keys> -- in the /Key Management Service Developer Guide/. -- -- KMS supports the following key specs for KMS keys: -- -- - Symmetric key (default) -- -- - @SYMMETRIC_DEFAULT@ (AES-256-GCM) -- -- - Asymmetric RSA key pairs -- -- - @RSA_2048@ -- -- - @RSA_3072@ -- -- - @RSA_4096@ -- -- - Asymmetric NIST-recommended elliptic curve key pairs -- -- - @ECC_NIST_P256@ (secp256r1) -- -- - @ECC_NIST_P384@ (secp384r1) -- -- - @ECC_NIST_P521@ (secp521r1) -- -- - Other asymmetric elliptic curve key pairs -- -- - @ECC_SECG_P256K1@ (secp256k1), commonly used for -- cryptocurrencies. -- -- 'customerMasterKeySpec', 'createKey_customerMasterKeySpec' - Instead, use the @KeySpec@ parameter. -- -- The @KeySpec@ and @CustomerMasterKeySpec@ parameters work the same way. -- Only the names differ. We recommend that you use @KeySpec@ parameter in -- your code. However, to avoid breaking changes, KMS will support both -- parameters. -- -- 'keyUsage', 'createKey_keyUsage' - Determines the -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations> -- for which you can use the KMS key. The default value is -- @ENCRYPT_DECRYPT@. This parameter is required only for asymmetric KMS -- keys. You can\'t change the @KeyUsage@ value after the KMS key is -- created. -- -- Select only one valid value. -- -- - For symmetric KMS keys, omit the parameter or specify -- @ENCRYPT_DECRYPT@. -- -- - For asymmetric KMS keys with RSA key material, specify -- @ENCRYPT_DECRYPT@ or @SIGN_VERIFY@. -- -- - For asymmetric KMS keys with ECC key material, specify -- @SIGN_VERIFY@. -- -- 'bypassPolicyLockoutSafetyCheck', 'createKey_bypassPolicyLockoutSafetyCheck' - A flag to indicate whether to bypass the key policy lockout safety -- check. -- -- Setting this value to true increases the risk that the KMS key becomes -- unmanageable. Do not set this value to true indiscriminately. -- -- For more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section in the //Key Management Service Developer Guide// . -- -- Use this parameter only when you include a policy in the request and you -- intend to prevent the principal that is making the request from making a -- subsequent PutKeyPolicy request on the KMS key. -- -- The default value is false. -- -- 'policy', 'createKey_policy' - The key policy to attach to the KMS key. -- -- If you provide a key policy, it must meet the following criteria: -- -- - If you don\'t set @BypassPolicyLockoutSafetyCheck@ to true, the key -- policy must allow the principal that is making the @CreateKey@ -- request to make a subsequent PutKeyPolicy request on the KMS key. -- This reduces the risk that the KMS key becomes unmanageable. For -- more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section of the //Key Management Service Developer Guide// . -- -- - Each statement in the key policy must contain one or more -- principals. The principals in the key policy must exist and be -- visible to KMS. When you create a new Amazon Web Services principal -- (for example, an IAM user or role), you might need to enforce a -- delay before including the new principal in a key policy because the -- new principal might not be immediately visible to KMS. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency Changes that I make are not always immediately visible> -- in the /Amazon Web Services Identity and Access Management User -- Guide/. -- -- If you do not provide a key policy, KMS attaches a default key policy to -- the KMS key. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default Default Key Policy> -- in the /Key Management Service Developer Guide/. -- -- The key policy size quota is 32 kilobytes (32768 bytes). -- -- For help writing and formatting a JSON policy document, see the -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html IAM JSON Policy Reference> -- in the //Identity and Access Management User Guide// . -- -- 'description', 'createKey_description' - A description of the KMS key. -- -- Use a description that helps you decide whether the KMS key is -- appropriate for a task. The default value is an empty string (no -- description). -- -- To set or change the description after the key is created, use -- UpdateKeyDescription. -- -- 'customKeyStoreId', 'createKey_customKeyStoreId' - Creates the KMS key in the specified -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and the key material in its associated CloudHSM cluster. To create a KMS -- key in a custom key store, you must also specify the @Origin@ parameter -- with a value of @AWS_CLOUDHSM@. The CloudHSM cluster that is associated -- with the custom key store must have at least two active HSMs, each in a -- different Availability Zone in the Region. -- -- This parameter is valid only for symmetric KMS keys and regional KMS -- keys. You cannot create an asymmetric KMS key or a multi-Region key in a -- custom key store. -- -- To find the ID of a custom key store, use the DescribeCustomKeyStores -- operation. -- -- The response includes the custom key store ID and the ID of the CloudHSM -- cluster. -- -- This operation is part of the -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html Custom Key Store feature> -- feature in KMS, which combines the convenience and extensive integration -- of KMS with the isolation and control of a single-tenant key store. -- -- 'tags', 'createKey_tags' - Assigns one or more tags to the KMS key. Use this parameter to tag the -- KMS key when it is created. To tag an existing KMS key, use the -- TagResource operation. -- -- Tagging or untagging a KMS key can allow or deny permission to the KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Using ABAC in KMS> -- in the /Key Management Service Developer Guide/. -- -- To use this parameter, you must have -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:TagResource> -- permission in an IAM policy. -- -- Each tag consists of a tag key and a tag value. Both the tag key and the -- tag value are required, but the tag value can be an empty (null) string. -- You cannot have more than one tag on a KMS key with the same tag key. If -- you specify an existing tag key with a different tag value, KMS replaces -- the current tag value with the specified one. -- -- When you add tags to an Amazon Web Services resource, Amazon Web -- Services generates a cost allocation report with usage and costs -- aggregated by tags. Tags can also be used to control access to a KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html Tagging Keys>. -- -- 'multiRegion', 'createKey_multiRegion' - Creates a multi-Region primary key that you can replicate into other -- Amazon Web Services Regions. You cannot change this value after you -- create the KMS key. -- -- For a multi-Region key, set this parameter to @True@. For a -- single-Region KMS key, omit this parameter or set it to @False@. The -- default value is @False@. -- -- This operation supports /multi-Region keys/, an KMS feature that lets -- you create multiple interoperable KMS keys in different Amazon Web -- Services Regions. Because these KMS keys have the same key ID, key -- material, and other metadata, you can use them interchangeably to -- encrypt data in one Amazon Web Services Region and decrypt it in a -- different Amazon Web Services Region without re-encrypting the data or -- making a cross-Region call. For more information about multi-Region -- keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Using multi-Region keys> -- in the /Key Management Service Developer Guide/. -- -- This value creates a /primary key/, not a replica. To create a /replica -- key/, use the ReplicateKey operation. -- -- You can create a symmetric or asymmetric multi-Region key, and you can -- create a multi-Region key with imported key material. However, you -- cannot create a multi-Region key in a custom key store. newCreateKey :: CreateKey newCreateKey :: CreateKey newCreateKey = CreateKey' :: Maybe OriginType -> Maybe KeySpec -> Maybe CustomerMasterKeySpec -> Maybe KeyUsageType -> Maybe Bool -> Maybe Text -> Maybe Text -> Maybe Text -> Maybe [Tag] -> Maybe Bool -> CreateKey CreateKey' { $sel:origin:CreateKey' :: Maybe OriginType origin = Maybe OriginType forall a. Maybe a Prelude.Nothing, $sel:keySpec:CreateKey' :: Maybe KeySpec keySpec = Maybe KeySpec forall a. Maybe a Prelude.Nothing, $sel:customerMasterKeySpec:CreateKey' :: Maybe CustomerMasterKeySpec customerMasterKeySpec = Maybe CustomerMasterKeySpec forall a. Maybe a Prelude.Nothing, $sel:keyUsage:CreateKey' :: Maybe KeyUsageType keyUsage = Maybe KeyUsageType forall a. Maybe a Prelude.Nothing, $sel:bypassPolicyLockoutSafetyCheck:CreateKey' :: Maybe Bool bypassPolicyLockoutSafetyCheck = Maybe Bool forall a. Maybe a Prelude.Nothing, $sel:policy:CreateKey' :: Maybe Text policy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:description:CreateKey' :: Maybe Text description = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:customKeyStoreId:CreateKey' :: Maybe Text customKeyStoreId = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:tags:CreateKey' :: Maybe [Tag] tags = Maybe [Tag] forall a. Maybe a Prelude.Nothing, $sel:multiRegion:CreateKey' :: Maybe Bool multiRegion = Maybe Bool forall a. Maybe a Prelude.Nothing } -- | The source of the key material for the KMS key. You cannot change the -- origin after you create the KMS key. The default is @AWS_KMS@, which -- means that KMS creates the key material. -- -- To create a KMS key with no key material (for imported key material), -- set the value to @EXTERNAL@. For more information about importing key -- material into KMS, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Importing Key Material> -- in the /Key Management Service Developer Guide/. This value is valid -- only for symmetric KMS keys. -- -- To create a KMS key in an KMS -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and create its key material in the associated CloudHSM cluster, set this -- value to @AWS_CLOUDHSM@. You must also use the @CustomKeyStoreId@ -- parameter to identify the custom key store. This value is valid only for -- symmetric KMS keys. createKey_origin :: Lens.Lens' CreateKey (Prelude.Maybe OriginType) createKey_origin :: (Maybe OriginType -> f (Maybe OriginType)) -> CreateKey -> f CreateKey createKey_origin = (CreateKey -> Maybe OriginType) -> (CreateKey -> Maybe OriginType -> CreateKey) -> Lens CreateKey CreateKey (Maybe OriginType) (Maybe OriginType) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe OriginType origin :: Maybe OriginType $sel:origin:CreateKey' :: CreateKey -> Maybe OriginType origin} -> Maybe OriginType origin) (\s :: CreateKey s@CreateKey' {} Maybe OriginType a -> CreateKey s {$sel:origin:CreateKey' :: Maybe OriginType origin = Maybe OriginType a} :: CreateKey) -- | Specifies the type of KMS key to create. The default value, -- @SYMMETRIC_DEFAULT@, creates a KMS key with a 256-bit symmetric key for -- encryption and decryption. For help choosing a key spec for your KMS -- key, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html How to Choose Your KMS key Configuration> -- in the //Key Management Service Developer Guide// . -- -- The @KeySpec@ determines whether the KMS key contains a symmetric key or -- an asymmetric key pair. It also determines the encryption algorithms or -- signing algorithms that the KMS key supports. You can\'t change the -- @KeySpec@ after the KMS key is created. To further restrict the -- algorithms that can be used with the KMS key, use a condition key in its -- key policy or IAM policy. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm kms:EncryptionAlgorithm> -- or -- <https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm kms:Signing Algorithm> -- in the //Key Management Service Developer Guide// . -- -- <http://aws.amazon.com/kms/features/#AWS_Service_Integration Amazon Web Services services that are integrated with KMS> -- use symmetric KMS keys to protect your data. These services do not -- support asymmetric KMS keys. For help determining whether a KMS key is -- symmetric or asymmetric, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html Identifying Symmetric and Asymmetric KMS keys> -- in the /Key Management Service Developer Guide/. -- -- KMS supports the following key specs for KMS keys: -- -- - Symmetric key (default) -- -- - @SYMMETRIC_DEFAULT@ (AES-256-GCM) -- -- - Asymmetric RSA key pairs -- -- - @RSA_2048@ -- -- - @RSA_3072@ -- -- - @RSA_4096@ -- -- - Asymmetric NIST-recommended elliptic curve key pairs -- -- - @ECC_NIST_P256@ (secp256r1) -- -- - @ECC_NIST_P384@ (secp384r1) -- -- - @ECC_NIST_P521@ (secp521r1) -- -- - Other asymmetric elliptic curve key pairs -- -- - @ECC_SECG_P256K1@ (secp256k1), commonly used for -- cryptocurrencies. createKey_keySpec :: Lens.Lens' CreateKey (Prelude.Maybe KeySpec) createKey_keySpec :: (Maybe KeySpec -> f (Maybe KeySpec)) -> CreateKey -> f CreateKey createKey_keySpec = (CreateKey -> Maybe KeySpec) -> (CreateKey -> Maybe KeySpec -> CreateKey) -> Lens CreateKey CreateKey (Maybe KeySpec) (Maybe KeySpec) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe KeySpec keySpec :: Maybe KeySpec $sel:keySpec:CreateKey' :: CreateKey -> Maybe KeySpec keySpec} -> Maybe KeySpec keySpec) (\s :: CreateKey s@CreateKey' {} Maybe KeySpec a -> CreateKey s {$sel:keySpec:CreateKey' :: Maybe KeySpec keySpec = Maybe KeySpec a} :: CreateKey) -- | Instead, use the @KeySpec@ parameter. -- -- The @KeySpec@ and @CustomerMasterKeySpec@ parameters work the same way. -- Only the names differ. We recommend that you use @KeySpec@ parameter in -- your code. However, to avoid breaking changes, KMS will support both -- parameters. createKey_customerMasterKeySpec :: Lens.Lens' CreateKey (Prelude.Maybe CustomerMasterKeySpec) createKey_customerMasterKeySpec :: (Maybe CustomerMasterKeySpec -> f (Maybe CustomerMasterKeySpec)) -> CreateKey -> f CreateKey createKey_customerMasterKeySpec = (CreateKey -> Maybe CustomerMasterKeySpec) -> (CreateKey -> Maybe CustomerMasterKeySpec -> CreateKey) -> Lens CreateKey CreateKey (Maybe CustomerMasterKeySpec) (Maybe CustomerMasterKeySpec) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe CustomerMasterKeySpec customerMasterKeySpec :: Maybe CustomerMasterKeySpec $sel:customerMasterKeySpec:CreateKey' :: CreateKey -> Maybe CustomerMasterKeySpec customerMasterKeySpec} -> Maybe CustomerMasterKeySpec customerMasterKeySpec) (\s :: CreateKey s@CreateKey' {} Maybe CustomerMasterKeySpec a -> CreateKey s {$sel:customerMasterKeySpec:CreateKey' :: Maybe CustomerMasterKeySpec customerMasterKeySpec = Maybe CustomerMasterKeySpec a} :: CreateKey) -- | Determines the -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations cryptographic operations> -- for which you can use the KMS key. The default value is -- @ENCRYPT_DECRYPT@. This parameter is required only for asymmetric KMS -- keys. You can\'t change the @KeyUsage@ value after the KMS key is -- created. -- -- Select only one valid value. -- -- - For symmetric KMS keys, omit the parameter or specify -- @ENCRYPT_DECRYPT@. -- -- - For asymmetric KMS keys with RSA key material, specify -- @ENCRYPT_DECRYPT@ or @SIGN_VERIFY@. -- -- - For asymmetric KMS keys with ECC key material, specify -- @SIGN_VERIFY@. createKey_keyUsage :: Lens.Lens' CreateKey (Prelude.Maybe KeyUsageType) createKey_keyUsage :: (Maybe KeyUsageType -> f (Maybe KeyUsageType)) -> CreateKey -> f CreateKey createKey_keyUsage = (CreateKey -> Maybe KeyUsageType) -> (CreateKey -> Maybe KeyUsageType -> CreateKey) -> Lens CreateKey CreateKey (Maybe KeyUsageType) (Maybe KeyUsageType) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe KeyUsageType keyUsage :: Maybe KeyUsageType $sel:keyUsage:CreateKey' :: CreateKey -> Maybe KeyUsageType keyUsage} -> Maybe KeyUsageType keyUsage) (\s :: CreateKey s@CreateKey' {} Maybe KeyUsageType a -> CreateKey s {$sel:keyUsage:CreateKey' :: Maybe KeyUsageType keyUsage = Maybe KeyUsageType a} :: CreateKey) -- | A flag to indicate whether to bypass the key policy lockout safety -- check. -- -- Setting this value to true increases the risk that the KMS key becomes -- unmanageable. Do not set this value to true indiscriminately. -- -- For more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section in the //Key Management Service Developer Guide// . -- -- Use this parameter only when you include a policy in the request and you -- intend to prevent the principal that is making the request from making a -- subsequent PutKeyPolicy request on the KMS key. -- -- The default value is false. createKey_bypassPolicyLockoutSafetyCheck :: Lens.Lens' CreateKey (Prelude.Maybe Prelude.Bool) createKey_bypassPolicyLockoutSafetyCheck :: (Maybe Bool -> f (Maybe Bool)) -> CreateKey -> f CreateKey createKey_bypassPolicyLockoutSafetyCheck = (CreateKey -> Maybe Bool) -> (CreateKey -> Maybe Bool -> CreateKey) -> Lens CreateKey CreateKey (Maybe Bool) (Maybe Bool) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe Bool bypassPolicyLockoutSafetyCheck :: Maybe Bool $sel:bypassPolicyLockoutSafetyCheck:CreateKey' :: CreateKey -> Maybe Bool bypassPolicyLockoutSafetyCheck} -> Maybe Bool bypassPolicyLockoutSafetyCheck) (\s :: CreateKey s@CreateKey' {} Maybe Bool a -> CreateKey s {$sel:bypassPolicyLockoutSafetyCheck:CreateKey' :: Maybe Bool bypassPolicyLockoutSafetyCheck = Maybe Bool a} :: CreateKey) -- | The key policy to attach to the KMS key. -- -- If you provide a key policy, it must meet the following criteria: -- -- - If you don\'t set @BypassPolicyLockoutSafetyCheck@ to true, the key -- policy must allow the principal that is making the @CreateKey@ -- request to make a subsequent PutKeyPolicy request on the KMS key. -- This reduces the risk that the KMS key becomes unmanageable. For -- more information, refer to the scenario in the -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam Default Key Policy> -- section of the //Key Management Service Developer Guide// . -- -- - Each statement in the key policy must contain one or more -- principals. The principals in the key policy must exist and be -- visible to KMS. When you create a new Amazon Web Services principal -- (for example, an IAM user or role), you might need to enforce a -- delay before including the new principal in a key policy because the -- new principal might not be immediately visible to KMS. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency Changes that I make are not always immediately visible> -- in the /Amazon Web Services Identity and Access Management User -- Guide/. -- -- If you do not provide a key policy, KMS attaches a default key policy to -- the KMS key. For more information, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default Default Key Policy> -- in the /Key Management Service Developer Guide/. -- -- The key policy size quota is 32 kilobytes (32768 bytes). -- -- For help writing and formatting a JSON policy document, see the -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html IAM JSON Policy Reference> -- in the //Identity and Access Management User Guide// . createKey_policy :: Lens.Lens' CreateKey (Prelude.Maybe Prelude.Text) createKey_policy :: (Maybe Text -> f (Maybe Text)) -> CreateKey -> f CreateKey createKey_policy = (CreateKey -> Maybe Text) -> (CreateKey -> Maybe Text -> CreateKey) -> Lens CreateKey CreateKey (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe Text policy :: Maybe Text $sel:policy:CreateKey' :: CreateKey -> Maybe Text policy} -> Maybe Text policy) (\s :: CreateKey s@CreateKey' {} Maybe Text a -> CreateKey s {$sel:policy:CreateKey' :: Maybe Text policy = Maybe Text a} :: CreateKey) -- | A description of the KMS key. -- -- Use a description that helps you decide whether the KMS key is -- appropriate for a task. The default value is an empty string (no -- description). -- -- To set or change the description after the key is created, use -- UpdateKeyDescription. createKey_description :: Lens.Lens' CreateKey (Prelude.Maybe Prelude.Text) createKey_description :: (Maybe Text -> f (Maybe Text)) -> CreateKey -> f CreateKey createKey_description = (CreateKey -> Maybe Text) -> (CreateKey -> Maybe Text -> CreateKey) -> Lens CreateKey CreateKey (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe Text description :: Maybe Text $sel:description:CreateKey' :: CreateKey -> Maybe Text description} -> Maybe Text description) (\s :: CreateKey s@CreateKey' {} Maybe Text a -> CreateKey s {$sel:description:CreateKey' :: Maybe Text description = Maybe Text a} :: CreateKey) -- | Creates the KMS key in the specified -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html custom key store> -- and the key material in its associated CloudHSM cluster. To create a KMS -- key in a custom key store, you must also specify the @Origin@ parameter -- with a value of @AWS_CLOUDHSM@. The CloudHSM cluster that is associated -- with the custom key store must have at least two active HSMs, each in a -- different Availability Zone in the Region. -- -- This parameter is valid only for symmetric KMS keys and regional KMS -- keys. You cannot create an asymmetric KMS key or a multi-Region key in a -- custom key store. -- -- To find the ID of a custom key store, use the DescribeCustomKeyStores -- operation. -- -- The response includes the custom key store ID and the ID of the CloudHSM -- cluster. -- -- This operation is part of the -- <https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html Custom Key Store feature> -- feature in KMS, which combines the convenience and extensive integration -- of KMS with the isolation and control of a single-tenant key store. createKey_customKeyStoreId :: Lens.Lens' CreateKey (Prelude.Maybe Prelude.Text) createKey_customKeyStoreId :: (Maybe Text -> f (Maybe Text)) -> CreateKey -> f CreateKey createKey_customKeyStoreId = (CreateKey -> Maybe Text) -> (CreateKey -> Maybe Text -> CreateKey) -> Lens CreateKey CreateKey (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe Text customKeyStoreId :: Maybe Text $sel:customKeyStoreId:CreateKey' :: CreateKey -> Maybe Text customKeyStoreId} -> Maybe Text customKeyStoreId) (\s :: CreateKey s@CreateKey' {} Maybe Text a -> CreateKey s {$sel:customKeyStoreId:CreateKey' :: Maybe Text customKeyStoreId = Maybe Text a} :: CreateKey) -- | Assigns one or more tags to the KMS key. Use this parameter to tag the -- KMS key when it is created. To tag an existing KMS key, use the -- TagResource operation. -- -- Tagging or untagging a KMS key can allow or deny permission to the KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Using ABAC in KMS> -- in the /Key Management Service Developer Guide/. -- -- To use this parameter, you must have -- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:TagResource> -- permission in an IAM policy. -- -- Each tag consists of a tag key and a tag value. Both the tag key and the -- tag value are required, but the tag value can be an empty (null) string. -- You cannot have more than one tag on a KMS key with the same tag key. If -- you specify an existing tag key with a different tag value, KMS replaces -- the current tag value with the specified one. -- -- When you add tags to an Amazon Web Services resource, Amazon Web -- Services generates a cost allocation report with usage and costs -- aggregated by tags. Tags can also be used to control access to a KMS -- key. For details, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html Tagging Keys>. createKey_tags :: Lens.Lens' CreateKey (Prelude.Maybe [Tag]) = (CreateKey -> Maybe [Tag]) -> (CreateKey -> Maybe [Tag] -> CreateKey) -> Lens CreateKey CreateKey (Maybe [Tag]) (Maybe [Tag]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe [Tag] tags :: Maybe [Tag] $sel:tags:CreateKey' :: CreateKey -> Maybe [Tag] tags} -> Maybe [Tag] tags) (\s :: CreateKey s@CreateKey' {} Maybe [Tag] a -> CreateKey s {$sel:tags:CreateKey' :: Maybe [Tag] tags = Maybe [Tag] a} :: CreateKey) ((Maybe [Tag] -> f (Maybe [Tag])) -> CreateKey -> f CreateKey) -> ((Maybe [Tag] -> f (Maybe [Tag])) -> Maybe [Tag] -> f (Maybe [Tag])) -> (Maybe [Tag] -> f (Maybe [Tag])) -> CreateKey -> f CreateKey forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Tag] [Tag] [Tag] [Tag] -> Iso (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Tag] [Tag] [Tag] [Tag] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | Creates a multi-Region primary key that you can replicate into other -- Amazon Web Services Regions. You cannot change this value after you -- create the KMS key. -- -- For a multi-Region key, set this parameter to @True@. For a -- single-Region KMS key, omit this parameter or set it to @False@. The -- default value is @False@. -- -- This operation supports /multi-Region keys/, an KMS feature that lets -- you create multiple interoperable KMS keys in different Amazon Web -- Services Regions. Because these KMS keys have the same key ID, key -- material, and other metadata, you can use them interchangeably to -- encrypt data in one Amazon Web Services Region and decrypt it in a -- different Amazon Web Services Region without re-encrypting the data or -- making a cross-Region call. For more information about multi-Region -- keys, see -- <https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html Using multi-Region keys> -- in the /Key Management Service Developer Guide/. -- -- This value creates a /primary key/, not a replica. To create a /replica -- key/, use the ReplicateKey operation. -- -- You can create a symmetric or asymmetric multi-Region key, and you can -- create a multi-Region key with imported key material. However, you -- cannot create a multi-Region key in a custom key store. createKey_multiRegion :: Lens.Lens' CreateKey (Prelude.Maybe Prelude.Bool) createKey_multiRegion :: (Maybe Bool -> f (Maybe Bool)) -> CreateKey -> f CreateKey createKey_multiRegion = (CreateKey -> Maybe Bool) -> (CreateKey -> Maybe Bool -> CreateKey) -> Lens CreateKey CreateKey (Maybe Bool) (Maybe Bool) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKey' {Maybe Bool multiRegion :: Maybe Bool $sel:multiRegion:CreateKey' :: CreateKey -> Maybe Bool multiRegion} -> Maybe Bool multiRegion) (\s :: CreateKey s@CreateKey' {} Maybe Bool a -> CreateKey s {$sel:multiRegion:CreateKey' :: Maybe Bool multiRegion = Maybe Bool a} :: CreateKey) instance Core.AWSRequest CreateKey where type AWSResponse CreateKey = CreateKeyResponse request :: CreateKey -> Request CreateKey request = Service -> CreateKey -> Request CreateKey forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a Request.postJSON Service defaultService response :: Logger -> Service -> Proxy CreateKey -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse CreateKey))) response = (Int -> ResponseHeaders -> Object -> Either String (AWSResponse CreateKey)) -> Logger -> Service -> Proxy CreateKey -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse CreateKey))) forall (m :: * -> *) a. MonadResource m => (Int -> ResponseHeaders -> Object -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveJSON ( \Int s ResponseHeaders h Object x -> Maybe KeyMetadata -> Int -> CreateKeyResponse CreateKeyResponse' (Maybe KeyMetadata -> Int -> CreateKeyResponse) -> Either String (Maybe KeyMetadata) -> Either String (Int -> CreateKeyResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> (Object x Object -> Text -> Either String (Maybe KeyMetadata) forall a. FromJSON a => Object -> Text -> Either String (Maybe a) Core..?> Text "KeyMetadata") Either String (Int -> CreateKeyResponse) -> Either String Int -> Either String CreateKeyResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable CreateKey instance Prelude.NFData CreateKey instance Core.ToHeaders CreateKey where toHeaders :: CreateKey -> ResponseHeaders toHeaders = ResponseHeaders -> CreateKey -> ResponseHeaders forall a b. a -> b -> a Prelude.const ( [ResponseHeaders] -> ResponseHeaders forall a. Monoid a => [a] -> a Prelude.mconcat [ HeaderName "X-Amz-Target" HeaderName -> ByteString -> ResponseHeaders forall a. ToHeader a => HeaderName -> a -> ResponseHeaders Core.=# (ByteString "TrentService.CreateKey" :: Prelude.ByteString), HeaderName "Content-Type" HeaderName -> ByteString -> ResponseHeaders forall a. ToHeader a => HeaderName -> a -> ResponseHeaders Core.=# ( ByteString "application/x-amz-json-1.1" :: Prelude.ByteString ) ] ) instance Core.ToJSON CreateKey where toJSON :: CreateKey -> Value toJSON CreateKey' {Maybe Bool Maybe [Tag] Maybe Text Maybe CustomerMasterKeySpec Maybe KeySpec Maybe KeyUsageType Maybe OriginType multiRegion :: Maybe Bool tags :: Maybe [Tag] customKeyStoreId :: Maybe Text description :: Maybe Text policy :: Maybe Text bypassPolicyLockoutSafetyCheck :: Maybe Bool keyUsage :: Maybe KeyUsageType customerMasterKeySpec :: Maybe CustomerMasterKeySpec keySpec :: Maybe KeySpec origin :: Maybe OriginType $sel:multiRegion:CreateKey' :: CreateKey -> Maybe Bool $sel:tags:CreateKey' :: CreateKey -> Maybe [Tag] $sel:customKeyStoreId:CreateKey' :: CreateKey -> Maybe Text $sel:description:CreateKey' :: CreateKey -> Maybe Text $sel:policy:CreateKey' :: CreateKey -> Maybe Text $sel:bypassPolicyLockoutSafetyCheck:CreateKey' :: CreateKey -> Maybe Bool $sel:keyUsage:CreateKey' :: CreateKey -> Maybe KeyUsageType $sel:customerMasterKeySpec:CreateKey' :: CreateKey -> Maybe CustomerMasterKeySpec $sel:keySpec:CreateKey' :: CreateKey -> Maybe KeySpec $sel:origin:CreateKey' :: CreateKey -> Maybe OriginType ..} = [Pair] -> Value Core.object ( [Maybe Pair] -> [Pair] forall a. [Maybe a] -> [a] Prelude.catMaybes [ (Text "Origin" Text -> OriginType -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (OriginType -> Pair) -> Maybe OriginType -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe OriginType origin, (Text "KeySpec" Text -> KeySpec -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (KeySpec -> Pair) -> Maybe KeySpec -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe KeySpec keySpec, (Text "CustomerMasterKeySpec" Text -> CustomerMasterKeySpec -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (CustomerMasterKeySpec -> Pair) -> Maybe CustomerMasterKeySpec -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe CustomerMasterKeySpec customerMasterKeySpec, (Text "KeyUsage" Text -> KeyUsageType -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (KeyUsageType -> Pair) -> Maybe KeyUsageType -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe KeyUsageType keyUsage, (Text "BypassPolicyLockoutSafetyCheck" Text -> Bool -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Bool -> Pair) -> Maybe Bool -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Bool bypassPolicyLockoutSafetyCheck, (Text "Policy" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text policy, (Text "Description" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text description, (Text "CustomKeyStoreId" Text -> Text -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text customKeyStoreId, (Text "Tags" Text -> [Tag] -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) ([Tag] -> Pair) -> Maybe [Tag] -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Tag] tags, (Text "MultiRegion" Text -> Bool -> Pair forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv Core..=) (Bool -> Pair) -> Maybe Bool -> Maybe Pair forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Bool multiRegion ] ) instance Core.ToPath CreateKey where toPath :: CreateKey -> ByteString toPath = ByteString -> CreateKey -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery CreateKey where toQuery :: CreateKey -> QueryString toQuery = QueryString -> CreateKey -> QueryString forall a b. a -> b -> a Prelude.const QueryString forall a. Monoid a => a Prelude.mempty -- | /See:/ 'newCreateKeyResponse' smart constructor. data CreateKeyResponse = CreateKeyResponse' { -- | Metadata associated with the KMS key. CreateKeyResponse -> Maybe KeyMetadata keyMetadata :: Prelude.Maybe KeyMetadata, -- | The response's http status code. CreateKeyResponse -> Int httpStatus :: Prelude.Int } deriving (CreateKeyResponse -> CreateKeyResponse -> Bool (CreateKeyResponse -> CreateKeyResponse -> Bool) -> (CreateKeyResponse -> CreateKeyResponse -> Bool) -> Eq CreateKeyResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: CreateKeyResponse -> CreateKeyResponse -> Bool $c/= :: CreateKeyResponse -> CreateKeyResponse -> Bool == :: CreateKeyResponse -> CreateKeyResponse -> Bool $c== :: CreateKeyResponse -> CreateKeyResponse -> Bool Prelude.Eq, ReadPrec [CreateKeyResponse] ReadPrec CreateKeyResponse Int -> ReadS CreateKeyResponse ReadS [CreateKeyResponse] (Int -> ReadS CreateKeyResponse) -> ReadS [CreateKeyResponse] -> ReadPrec CreateKeyResponse -> ReadPrec [CreateKeyResponse] -> Read CreateKeyResponse forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [CreateKeyResponse] $creadListPrec :: ReadPrec [CreateKeyResponse] readPrec :: ReadPrec CreateKeyResponse $creadPrec :: ReadPrec CreateKeyResponse readList :: ReadS [CreateKeyResponse] $creadList :: ReadS [CreateKeyResponse] readsPrec :: Int -> ReadS CreateKeyResponse $creadsPrec :: Int -> ReadS CreateKeyResponse Prelude.Read, Int -> CreateKeyResponse -> ShowS [CreateKeyResponse] -> ShowS CreateKeyResponse -> String (Int -> CreateKeyResponse -> ShowS) -> (CreateKeyResponse -> String) -> ([CreateKeyResponse] -> ShowS) -> Show CreateKeyResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [CreateKeyResponse] -> ShowS $cshowList :: [CreateKeyResponse] -> ShowS show :: CreateKeyResponse -> String $cshow :: CreateKeyResponse -> String showsPrec :: Int -> CreateKeyResponse -> ShowS $cshowsPrec :: Int -> CreateKeyResponse -> ShowS Prelude.Show, (forall x. CreateKeyResponse -> Rep CreateKeyResponse x) -> (forall x. Rep CreateKeyResponse x -> CreateKeyResponse) -> Generic CreateKeyResponse forall x. Rep CreateKeyResponse x -> CreateKeyResponse forall x. CreateKeyResponse -> Rep CreateKeyResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep CreateKeyResponse x -> CreateKeyResponse $cfrom :: forall x. CreateKeyResponse -> Rep CreateKeyResponse x Prelude.Generic) -- | -- Create a value of 'CreateKeyResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'keyMetadata', 'createKeyResponse_keyMetadata' - Metadata associated with the KMS key. -- -- 'httpStatus', 'createKeyResponse_httpStatus' - The response's http status code. newCreateKeyResponse :: -- | 'httpStatus' Prelude.Int -> CreateKeyResponse newCreateKeyResponse :: Int -> CreateKeyResponse newCreateKeyResponse Int pHttpStatus_ = CreateKeyResponse' :: Maybe KeyMetadata -> Int -> CreateKeyResponse CreateKeyResponse' { $sel:keyMetadata:CreateKeyResponse' :: Maybe KeyMetadata keyMetadata = Maybe KeyMetadata forall a. Maybe a Prelude.Nothing, $sel:httpStatus:CreateKeyResponse' :: Int httpStatus = Int pHttpStatus_ } -- | Metadata associated with the KMS key. createKeyResponse_keyMetadata :: Lens.Lens' CreateKeyResponse (Prelude.Maybe KeyMetadata) createKeyResponse_keyMetadata :: (Maybe KeyMetadata -> f (Maybe KeyMetadata)) -> CreateKeyResponse -> f CreateKeyResponse createKeyResponse_keyMetadata = (CreateKeyResponse -> Maybe KeyMetadata) -> (CreateKeyResponse -> Maybe KeyMetadata -> CreateKeyResponse) -> Lens CreateKeyResponse CreateKeyResponse (Maybe KeyMetadata) (Maybe KeyMetadata) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKeyResponse' {Maybe KeyMetadata keyMetadata :: Maybe KeyMetadata $sel:keyMetadata:CreateKeyResponse' :: CreateKeyResponse -> Maybe KeyMetadata keyMetadata} -> Maybe KeyMetadata keyMetadata) (\s :: CreateKeyResponse s@CreateKeyResponse' {} Maybe KeyMetadata a -> CreateKeyResponse s {$sel:keyMetadata:CreateKeyResponse' :: Maybe KeyMetadata keyMetadata = Maybe KeyMetadata a} :: CreateKeyResponse) -- | The response's http status code. createKeyResponse_httpStatus :: Lens.Lens' CreateKeyResponse Prelude.Int createKeyResponse_httpStatus :: (Int -> f Int) -> CreateKeyResponse -> f CreateKeyResponse createKeyResponse_httpStatus = (CreateKeyResponse -> Int) -> (CreateKeyResponse -> Int -> CreateKeyResponse) -> Lens CreateKeyResponse CreateKeyResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\CreateKeyResponse' {Int httpStatus :: Int $sel:httpStatus:CreateKeyResponse' :: CreateKeyResponse -> Int httpStatus} -> Int httpStatus) (\s :: CreateKeyResponse s@CreateKeyResponse' {} Int a -> CreateKeyResponse s {$sel:httpStatus:CreateKeyResponse' :: Int httpStatus = Int a} :: CreateKeyResponse) instance Prelude.NFData CreateKeyResponse