class Aws::AccessAnalyzer::Types::KmsGrantConstraints

Use this structure to propose allowing [cryptographic operations] in the grant only when the operation request includes the specified [encryption context]. You can specify only one type of encryption context. An empty map is treated as not specified. For more information, see [GrantConstraints].

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations [2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context [3]: docs.aws.amazon.com/kms/latest/APIReference/API_GrantConstraints.html

@note When making an API call, you may pass KmsGrantConstraints

data as a hash:

    {
      encryption_context_equals: {
        "KmsConstraintsKey" => "KmsConstraintsValue",
      },
      encryption_context_subset: {
        "KmsConstraintsKey" => "KmsConstraintsValue",
      },
    }

@!attribute [rw] encryption_context_equals

A list of key-value pairs that must match the encryption context in
the [cryptographic operation][1] request. The grant allows the
operation only when the encryption context in the request is the
same as the encryption context specified in this constraint.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@return [Hash<String,String>]

@!attribute [rw] encryption_context_subset

A list of key-value pairs that must be included in the encryption
context of the [cryptographic operation][1] request. The grant
allows the cryptographic operation only when the encryption context
in the request includes the key-value pairs specified in this
constraint, although it can include additional key-value pairs.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations
@return [Hash<String,String>]

@see docs.aws.amazon.com/goto/WebAPI/accessanalyzer-2019-11-01/KmsGrantConstraints AWS API Documentation

Constants

SENSITIVE