Create AWS KMS Key
By default, AWS KMS creates key material when you create an AWS KMS key. To import your own key material instead, create a KMS key without key material. Then import the key material. To create a KMS key with no key material, it is possible to use the AWS Management Console or the create-key request with AWS KMS API.
To create a key with no key material, specify a key spec of SYMMETRIC_DEFAULT
(the default value) and an origin of EXTERNAL
. The key spec and origin of a KMS key are immutable values.
Once you create a key designed for imported key material in KMS, it is not possible to convert it into a KMS key with key material from AWS KMS or any other source!
The key state of a KMS key with an EXTERNAL
origin and no key material is PendingImport
. A KMS key can remain in PendingImport
state indefinitely. However, it is not possible to use a KMS key in PendingImport
state in cryptographic operations. When key material is imported, the key state of the KMS key changes to Enabled, and is ready to use in cryptographic operations.
AWS KMS records an entry in the AWS CloudTrail log when creating a KMS key, downloading the public key and import token, as well as importing the key material. AWS KMS also records an entry when you delete imported key material or when AWS KMS deletes expired key material.
For information about creating multi-Region keys with imported key material, see Importing key material into multi-Region keys.
- Create KMS key (via AWS Console)
- Create a KMS Key (via AWS KMS API)
Use the AWS Management Console to create a symmetric encryption KMS key without key material. Imported keys have an Origin value of External
. It is necessary to create a KMS key for the imported key material only once and reimport the same key material into an existing KMS key.
Please follow the next steps to create a KMS key with no key material.
- Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console.
- To change the AWS Region, use the Region selector in the upper-right corner of the page.
- In the navigation pane, choose
Customer managed keys
. - Choose
Create key
. - Choose
Symmetric
.
It is not possible to import key material into an asymmetric KMS key.
- In
Key usage
, theEncrypt and decrypt
option is already selected. Do not change it.
You cannot import key material into an HMAC KMS key.
- Expand
Advanced options
. - For
Key material origin
, selectExternal
.
You cannot import key material into a KMS key in a custom key store.
- Confirm the check box next to
I understand the security, availability, and durability implications of using an imported key
to indicate that you understand the implications of using imported key material. - By default, this procedure creates a KMS key in the selected Region.
To create a multi-Region primary key with no key material, in the Regionality
section, choose Multi-Region key
.
- Choose
Next
. - Type an alias and (optionally) a description for the KMS key.
Choose
Next
. - (Optional). On the
Add tags
page, add tags that identify or categorize the KMS key. ChooseNext
. - In the
Key administrators
section, select the IAM users and roles who can manage the KMS key.
IAM policies can give other IAM users and roles permission to manage the KMS key.
- (Optional) To prevent the selected IAM users and roles from deleting this KMS key, in the
Key deletion
section at the bottom of the page, clear theAllow key administrators to delete this key
check box. ChooseNext
. - In the
This account
section, select the IAM users and roles in this AWS account who can use the KMS key in crypto-graphic operations.
IAM policies can give other IAM users and roles permission to use the KMS key.
- (Optional) It is possible to allow other AWS accounts to use this KMS key for cryptographic operations.
To do so, in the Other AWS accounts
section at the bottom of the page, choose Add another AWS account
and enter the AWS account ID of an external account. To add multiple external accounts, repeat this step.
To allow principals in the external accounts to use the KMS key, Administrators of the external account must create IAM policies that provide these permissions.
Choose Next
.
-
Review the key settings. It is possible to return and adapt all settings before finishing.
-
When done, choose
Finish
to create the key.
If the operation succeeds, you have created a KMS key with no key material. Its status is Pending import
. To con-tinue the process now, see Downloading the public key and import token (console). To continue the process later, choose Cancel
.
Optionally you can use the AWS KMS API to create a symmetric encryption KMS key with no key material, send a create-key
request with the Origin parameter set to EXTERNAL
. The following example shows how to do so with the AWS Command Line Interface (AWS CLI).
$ aws kms create-key --origin EXTERNAL
If the command was successful, an output similar to the following should be printed out:
{
"KeyMetadata": {
"Origin": "EXTERNAL",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Description": "",
"Enabled": false,
"MultiRegion": false,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "PendingImport",
"CreationDate": 1568289600.0,
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"KeyManager": "CUSTOMER",
"KeySpec": "SYMMETRIC_DEFAULT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
The AWS KMS key's Origin is seen as EXTERNAL
and its KeyState
is PendingImport
.
Ensure to copy the KeyId
value from your command output as it will be used in later steps of the guide.