Class: Aws::KMS::Types::GrantConstraints

Inherits:
Struct
  • Object
show all
Includes:
Structure
Defined in:
lib/aws-sdk-kms/types.rb

Overview

Note:

When making an API call, you may pass GrantConstraints data as a hash:

{
  encryption_context_subset: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
  encryption_context_equals: {
    "EncryptionContextKey" => "EncryptionContextValue",
  },
}

Use this structure to allow [cryptographic operations] in the grant only when the operation request includes the specified [encryption context].

KMS applies the grant constraints only to cryptographic operations that support an encryption context, that is, all cryptographic operations with a [symmetric encryption KMS key]. Grant constraints are not applied to operations that do not support an encryption context, such as cryptographic operations with HMAC KMS keys or asymmetric KMS keys, and management operations, such as DescribeKey or RetireGrant.

In a cryptographic operation, the encryption context in the decryption operation must be an exact, case-sensitive match for the keys and values in the encryption context of the encryption operation. Only the order of the pairs can vary.

However, in a grant constraint, the key in each key-value pair is not

case sensitive, but the value is case sensitive.

To avoid confusion, do not use multiple encryption context pairs that

differ only by case. To require a fully case-sensitive encryption context, use the `kms:EncryptionContext:` and `kms:EncryptionContextKeys` conditions in an IAM or key policy. For details, see [kms:EncryptionContext:] in the Key Management Service Developer Guide .

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations [2]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context [3]: docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks [4]: docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context

Constant Summary collapse

SENSITIVE =
[]

Instance Attribute Summary collapse

Instance Attribute Details

#encryption_context_equalsHash<String,String>

A list of key-value pairs that must match the encryption context in the [cryptographic operation] request. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint.

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations

Returns:

  • (Hash<String,String>)

2968
2969
2970
2971
2972
2973
# File 'lib/aws-sdk-kms/types.rb', line 2968

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  SENSITIVE = []
  include Aws::Structure
end

#encryption_context_subsetHash<String,String>

A list of key-value pairs that must be included in the encryption context of the [cryptographic operation] request. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs.

[1]: docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations

Returns:

  • (Hash<String,String>)

2968
2969
2970
2971
2972
2973
# File 'lib/aws-sdk-kms/types.rb', line 2968

class GrantConstraints < Struct.new(
  :encryption_context_subset,
  :encryption_context_equals)
  SENSITIVE = []
  include Aws::Structure
end