密钥类型引用 - AWS Key Management Service
密钥类型表特殊功能表

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

密钥类型引用

不过,对于不同类型的 KMS 密钥,AWS KMS 支持不同功能。例如,只能使用对称加密 KMS 密钥生成对称数据密钥非对称数据密钥对。此外,只有对称加密 KMS 密钥支持导入密钥材料自动密钥轮换,并且在自定义密钥存储中只能创建对称加密 KMS 密钥。

此参考包括两个表。

  • 密钥类型表列出了对对称加密 KMS 密钥、非对称 KMS 密钥,以及 HMAC KMS 密钥有效的 AWS KMS 操作。

  • 特殊功能表列出了对多区域 KMS 密钥、包含导入的密钥材料的 KMS 密钥,以及自定义密钥存储中的 KMS 密钥有效的 AWS KMS 操作。

密钥类型表

您可能需要水平或垂直滚动才能查看此表中的所有数据。

AWS KMS API 操作 对称加密 KMS 密钥 HMAC KMS 密钥 非对称 KMS 密钥 (ENCRYPT_DECRYPT) 非对称 KMS 密钥 (SIGN_VERIFY) 非对称 KMS 密钥(KEY_AGREEMENT)

CancelKeyDeletion

CreateAlias

CreateGrant

CreateKey

Decrypt

DeleteAlias

DeleteImportedKeyMaterial

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

DeriveSharedSecret

DescribeKey

DisableKey

DisableKeyRotation

仅在包含 AWS KMS 密钥材料的 KMS 密钥上有效(OriginAWS_KMS)。

EnableKey

EnableKeyRotation

仅在包含 AWS KMS 密钥材料的 KMS 密钥上有效(OriginAWS_KMS)。

Encrypt

GenerateDataKey

GenerateDataKeyPair

生成受对称加密 KMS 密钥保护的非对称数据密钥对。

在自定义密钥存储中的 KMS 密钥上无效。

GenerateDataKeyPairWithoutPlaintext

生成受对称加密 KMS 密钥保护的非对称数据密钥对。

在自定义密钥存储中的 KMS 密钥上无效。

GenerateDataKeyWithoutPlaintext

GenerateMac

GetKeyPolicy

GetKeyRotationStatus

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

KeyRotationEnabled 将始终为 false。)

GetParametersForImport

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

GetPublicKey

ImportKeyMaterial

仅在包含导入的密钥材料的 KMS 密钥上有效(OriginEXTERNAL)。

ListAliases

ListGrants

ListKeyPolicies

ListKeyRotations

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

Rotations 字段将始终为 null 或空。)

ListResourceTags

ListRetirableGrants

PutKeyPolicy

ReEncrypt

ReplicateKey

- 仅在多区域密钥上有效

RetireGrant

RevokeGrant

RotateKeyOnDemand

仅在包含 AWS KMS 密钥材料的 KMS 密钥上有效(OriginAWS_KMS)。

ScheduleKeyDeletion

Sign

TagResource

UntagResource

UpdateAlias

当前 KMS 密钥和新的 KMS 密钥必须为相同类型(要么都是对称的,要么都是非对称的,要么都是 HMAC),并且它们必须用于相同的密钥用途

UpdateKeyDescription

UpdateReplicaRegion

- 仅在多区域密钥上有效

Verify

VerifyMac

特殊功能表

此表显示了每种类型的特殊用途密钥上支持的 AWS KMS API 操作。

在阅读此表时,请注意以下交互:

  • 多区域密钥

    • 多区域密钥可以是对称加密 KMS 密钥、非对称 KMS 密钥、HMAC KMS 密钥,以及包含导入的密钥材料的 KMS 密钥。

    • 您不能在自定义密钥存储中创建多区域密钥。

  • 导入的密钥材料

    • 您可以导入对称加密 KMS 密钥、非对称 KMS 密钥和 HMAC KMS 密钥的密钥材料。

    • 您可创建具有导入密钥材料的多区域密钥

    • 您不能在自定义密钥存储中使用导入的密钥材料创建密钥。

    • 带有导入密钥材料的 KMS 密钥不支持自动密钥轮换 (EnableKeyRotationDisableKeyRotation)。

  • 自定义密钥存储

    • 自定义密钥存储仅支持对称加密 KMS 密钥。

    • 自定义密钥存储中的 KMS 密钥不支持对非对称密钥对(GenerateDataKeyPairGenerateDataKeyPairWithoutPlaintext)进行对称操作。

    • 自定义密钥存储中的 KMS 密钥不支持自动密钥转换 (EnableKeyRotationDisableKeyRotation)。

    • 您不能在自定义密钥存储中创建多区域密钥。

您可能需要水平或垂直滚动才能查看此表中的所有数据。

AWS KMS API 操作 多区域密钥 导入的密钥材料 自定义密钥存储中的 KMS 密钥

CancelKeyDeletion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

CreateAlias

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

CreateGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.
CreateKey

您可以使用 CreateKey 创建多区域主键、包含导入的密钥材料的 KMS 密钥,或自定义密钥存储中的 KMS 密钥。若要创建多区域副本密钥,请使用 ReplicateKey

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

Decrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DeleteAlias

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DeleteImportedKeyMaterial

Green checkmark icon indicating success or completion.

仅对包含导入的密钥材料的密钥有效(OriginEXTERNAL

 Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

DescribeKey

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DisableKey

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

DisableKeyRotation

 Green checkmark icon indicating success or completion.

仅在包含 AWS KMS 密钥材料的对称加密密钥上有效(OriginAWS_KMS)。

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

EnableKey

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

EnableKeyRotation

Green checkmark icon indicating success or completion.

仅在包含 AWS KMS 密钥材料的对称加密密钥上有效(OriginAWS_KMS)。

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Encrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GenerateDataKey

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GenerateDataKeyPair

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GenerateDataKeyPairWithoutPlaintext

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GenerateDataKeyWithoutPlaintext

Green checkmark icon indicating success or completion.

仅在对称加密 KMS 密钥上有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.
GenerateMac

仅在 HMAC KMS 密钥上有效

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetKeyPolicy

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

GetKeyRotationStatus

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

KeyRotationEnabled 将始终为 false。)

 Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetParametersForImport

Green checkmark icon indicating success or completion.

仅对包含已导入的密钥材料的密钥有效(OriginEXTERNAL)。

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

GetPublicKey

仅对非对称 KMS 密钥有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ImportKeyMaterial

Green checkmark icon indicating success or completion.

仅对包含已导入的密钥材料的密钥有效(OriginEXTERNAL)。

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

ListAliases

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListGrants

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListKeyPolicies

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListResourceTags

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ListRetirableGrants

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

PutKeyPolicy

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ReEncrypt

Green checkmark icon indicating success or completion.

仅当 KeyUsageENCRYPT_DECRYPT 时才有效

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ReplicateKey

Green checkmark icon indicating success or completion.

仅在多区域主键上有效。

 Green checkmark icon indicating success or completion.

仅在多区域主键上有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

RetireGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

RevokeGrant

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

ScheduleKeyDeletion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

Sign

仅当 KeyUsageSIGN_VERIFY 时才有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

TagResource

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UntagResource

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateAlias

– 当前 KMS 密钥和新的 KMS 密钥必须为相同类型(要么都是对称的,要么都是非对称的,要么都是 HMAC),并且它们必须用于相同的密钥用途

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateKeyDescription

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Green checkmark icon indicating success or completion.

UpdateReplicaRegion

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

仅在多区域密钥上有效。

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.

Verify

仅当 KeyUsageSIGN_VERIFY 时才有效。

Green checkmark icon indicating success or completion.

 Green checkmark icon indicating success or completion.

Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.
VerifyMac

仅在 HMAC KMS 密钥上有效

 Green checkmark icon indicating success or completion. Green checkmark icon indicating success or completion. Red circle with diagonal line, commonly used to indicate prohibition or "no" symbol.