class Aws::KMS::Types::ReplicateKeyRequest

@note When making an API call, you may pass ReplicateKeyRequest

data as a hash:

    {
      key_id: "KeyIdType", # required
      replica_region: "RegionType", # required
      policy: "PolicyType",
      bypass_policy_lockout_safety_check: false,
      description: "DescriptionType",
      tags: [
        {
          tag_key: "TagKeyType", # required
          tag_value: "TagValueType", # required
        },
      ],
    }

@!attribute [rw] key_id

Identifies the multi-Region primary key that is being replicated. To
determine whether a KMS key is a multi-Region primary key, use the
DescribeKey operation to check the value of the `MultiRegionKeyType`
property.

Specify the key ID or key ARN of a multi-Region primary key.

For example:

* Key ID: `mrk-1234abcd12ab34cd56ef1234567890ab`

* Key ARN:
  `arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab`

To get the key ID and key ARN for a KMS key, use ListKeys or
DescribeKey.
@return [String]

@!attribute [rw] replica_region

The Region ID of the Amazon Web Services Region for this replica
key.

Enter the Region ID, such as `us-east-1` or `ap-southeast-2`. For a
list of Amazon Web Services Regions in which KMS is supported, see
[KMS service endpoints][1] in the *Amazon Web Services General
Reference*.

The replica must be in a different Amazon Web Services Region than
its primary key and other replicas of that primary key, but in the
same Amazon Web Services partition. KMS must be available in the
replica Region. If the Region is not enabled by default, the Amazon
Web Services account must be enabled in the Region.

For information about Amazon Web Services partitions, see [Amazon
Resource Names (ARNs) in the *Amazon Web Services General
Reference*.][2] For information about enabling and disabling
Regions, see [Enabling a Region][3] and [Disabling a Region][4] in
the *Amazon Web Services General Reference*.

[1]: https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region
[2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
[3]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable
[4]: https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable
@return [String]

@!attribute [rw] policy

The key policy to attach to the KMS key. This parameter is optional.
If you do not provide a key policy, KMS attaches the [default key
policy][1] to the KMS key.

The key policy is not a shared property of multi-Region keys. You
can specify the same key policy or a different key policy for each
key in a set of related multi-Region keys. KMS does not synchronize
this property.

If you provide a key policy, it must meet the following criteria:

* If you don't set `BypassPolicyLockoutSafetyCheck` to true, the
  key policy must give the caller `kms:PutKeyPolicy` permission on
  the replica key. This reduces the risk that the KMS key becomes
  unmanageable. For more information, refer to the scenario in the
  [Default Key Policy][2] section of the <i> <i>Key Management
  Service Developer Guide</i> </i>.

* Each statement in the key policy must contain one or more
  principals. The principals in the key policy must exist and be
  visible to KMS. When you create a new Amazon Web Services
  principal (for example, an IAM user or role), you might need to
  enforce a delay before including the new principal in a key policy
  because the new principal might not be immediately visible to KMS.
  For more information, see [Changes that I make are not always
  immediately visible][3] in the <i> <i>Identity and Access
  Management User Guide</i> </i>.

* The key policy size quota is 32 kilobytes (32768 bytes).

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default
[2]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
[3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
@return [String]

@!attribute [rw] bypass_policy_lockout_safety_check

A flag to indicate whether to bypass the key policy lockout safety
check.

Setting this value to true increases the risk that the KMS key
becomes unmanageable. Do not set this value to true
indiscriminately.

 For more information, refer to the scenario in the [Default Key
Policy][1] section in the *Key Management Service Developer Guide*.

Use this parameter only when you intend to prevent the principal
that is making the request from making a subsequent `PutKeyPolicy`
request on the KMS key.

The default value is false.

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam
@return [Boolean]

@!attribute [rw] description

A description of the KMS key. The default value is an empty string
(no description).

The description is not a shared property of multi-Region keys. You
can specify the same description or a different description for each
key in a set of related multi-Region keys. KMS does not synchronize
this property.
@return [String]

@!attribute [rw] tags

Assigns one or more tags to the replica key. Use this parameter to
tag the KMS key when it is created. To tag an existing KMS key, use
the TagResource operation.

<note markdown="1"> Tagging or untagging a KMS key can allow or deny permission to the
KMS key. For details, see [Using ABAC in KMS][1] in the *Key
Management Service Developer Guide*.

 </note>

To use this parameter, you must have [kms:TagResource][2] permission
in an IAM policy.

Tags are not a shared property of multi-Region keys. You can specify
the same tags or different tags for each key in a set of related
multi-Region keys. KMS does not synchronize this property.

Each tag consists of a tag key and a tag value. Both the tag key and
the tag value are required, but the tag value can be an empty (null)
string. You cannot have more than one tag on a KMS key with the same
tag key. If you specify an existing tag key with a different tag
value, KMS replaces the current tag value with the specified one.

When you add tags to an Amazon Web Services resource, Amazon Web
Services generates a cost allocation report with usage and costs
aggregated by tags. Tags can also be used to control access to a KMS
key. For details, see [Tagging Keys][3].

[1]: https://docs.aws.amazon.com/kms/latest/developerguide/abac.html
[2]: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
[3]: https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html
@return [Array<Types::Tag>]

@see docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKeyRequest AWS API Documentation

Constants

SENSITIVE