class Aws::AccessAnalyzer::Types::KmsKeyConfiguration

Proposed access control configuration for a KMS key. You can propose a configuration for a new KMS key or an existing KMS key that you own by specifying the key policy and KMS grant configuration. If the configuration is for an existing key and you do not specify the key policy, the access preview uses the existing policy for the key. If the access preview is for a new resource and you do not specify the key policy, then the access preview uses the default key policy. The proposed key policy cannot be an empty string. For more information, see [Default key policy]. For more information about key policy limits, see [Resource quotas].

[1]: docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default [2]: docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html

@note When making an API call, you may pass KmsKeyConfiguration

data as a hash:

    {
      grants: [
        {
          constraints: {
            encryption_context_equals: {
              "KmsConstraintsKey" => "KmsConstraintsValue",
            },
            encryption_context_subset: {
              "KmsConstraintsKey" => "KmsConstraintsValue",
            },
          },
          grantee_principal: "GranteePrincipal", # required
          issuing_account: "IssuingAccount", # required
          operations: ["CreateGrant"], # required, accepts CreateGrant, Decrypt, DescribeKey, Encrypt, GenerateDataKey, GenerateDataKeyPair, GenerateDataKeyPairWithoutPlaintext, GenerateDataKeyWithoutPlaintext, GetPublicKey, ReEncryptFrom, ReEncryptTo, RetireGrant, Sign, Verify
          retiring_principal: "RetiringPrincipal",
        },
      ],
      key_policies: {
        "PolicyName" => "KmsKeyPolicy",
      },
    }

@!attribute [rw] grants

A list of proposed grant configurations for the KMS key. If the
proposed grant configuration is for an existing key, the access
preview uses the proposed list of grant configurations in place of
the existing grants. Otherwise, the access preview uses the existing
grants for the key.
@return [Array<Types::KmsGrantConfiguration>]

@!attribute [rw] key_policies

Resource policy configuration for the KMS key. The only valid value
for the name of the key policy is `default`. For more information,
see [Default key policy][1].

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
@return [Hash<String,String>]

@see docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsKeyConfiguration AWS API Documentation

Constants

SENSITIVE