Skip to main content
← back to extensions

@swamp/aws/kms

v2026.04.23.3

AWS KMS infrastructure models

Repository

https://github.com/systeminit/swamp-extensions

Platforms

linux-x86_64linux-aarch64darwin-x86_64darwin-aarch64

Labels

awskmscloudinfrastructure

Contents

models

Quality score

Verified by Swamp

How well-documented and verifiable this extension is.

100%

Grade A

  • Has README or module doc2/2earned
  • README has a code example1/1earned
  • README is substantive1/1earned
  • Most symbols documented1/1earned
  • No slow types1/1earned
  • Has description1/1earned
  • At least one platform tag (or universal)1/1earned
  • Two or more platform tags (or universal)1/1earned
  • License declared1/1earned
  • Verified public repository2/2earned

Install

$ swamp extension pull @swamp/aws/kms

@swamp/aws/kms/aliasv2026.04.23.2alias.ts

Global Arguments

ArgumentTypeDescription
TargetKeyIdstringAssociates the alias with the specified [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). The KMS key must be in the same AWS-account and Region. A valid key ID is required. If you supply a null or empty string value, this operation returns an error. For help finding the key ID and ARN, see [Finding the key ID and ARN](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) in the *Developer Guide*. Specify the key ID or the ke
AliasNamestringSpecifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias. If you change the value of the AliasName property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC). The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slas
createCreate a KMS Alias
getGet a KMS Alias
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS Alias
updateUpdate a KMS Alias
deleteDelete a KMS Alias
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS Alias
syncSync KMS Alias state from AWS

Resources

state(infinite)— KMS Alias resource state
@swamp/aws/kms/keyv2026.04.23.2key.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?stringA description of the KMS key. Use a description that helps you to distinguish this KMS key from others in the account, such as its intended use.
Enabled?booleanSpecifies whether the KMS key is enabled. Disabled KMS keys cannot be used in cryptographic operations. When Enabled is true, the *key state* of the KMS key is Enabled. When Enabled is false, the key state of the KMS key is Disabled. The default value is true. The actual key state of the KMS key might be affected by actions taken outside of CloudFormation, such as running the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html), [DisableKey](https://docs.aws.amazon
EnableKeyRotation?booleanEnables automatic rotation of the key material for the specified KMS key. By default, automatic key rotation is not enabled. KMS supports automatic rotation only for symmetric encryption KMS keys ( KeySpec = SYMMETRIC_DEFAULT). For asymmetric KMS keys, HMAC KMS keys, and KMS keys with Origin EXTERNAL, omit the EnableKeyRotation property or set it to false. To enable automatic key rotation of the key material for a multi-Region KMS key, set EnableKeyRotation to true on the primary key (created by
KeyPolicy?stringThe key policy to attach to the KMS key. If you provide a key policy, it must meet the following criteria: The key policy must allow the caller to make a subsequent [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) request on the KMS key. This reduces the risk that the KMS key becomes unmanageable. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam)
KeyUsage?enumDetermines the [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. This property is required for asymmetric KMS keys and HMAC KMS keys. You can't change the KeyUsage value after the KMS key is created. If you change the value of the KeyUsage property on an existing KMS key, the update request fails, regardless of the value of the [UpdateReplacePolicy attri
Origin?enumThe source of the key material for the KMS key. You cannot change the origin after you create the KMS key. The default is AWS_KMS, which means that KMS creates the key material. To [create a KMS key with no key material](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html) (for imported key material), set this value to EXTERNAL. For more information about importing key material into KMS, see [Importing Key Material](https://docs.aws.amazon.com/kms/latest/develope
KeySpec?enumSpecifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit symmetric key for encryption and decryption. In China Regions, SYMMETRIC_DEFAULT creates a 128-bit symmetric key that uses SM4 encryption. You can't change the KeySpec value after the KMS key is created. For help choosing a key spec for your KMS key, see [Choosing a KMS key type](https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) in the *Developer Guide*. The
MultiRegion?booleanCreates a multi-Region primary key that you can replicate in other AWS-Regions. You can't change the MultiRegion value after the KMS key is created. For a list of AWS-Regions in which multi-Region keys are supported, see [Multi-Region keys in](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) in the **. If you change the value of the MultiRegion property on an existing KMS key, the update request fails, regardless of the value of the [UpdateReplacePolicy attr
PendingWindowInDays?numberSpecifies the number of days in the waiting period before KMS deletes a KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days. When you remove a KMS key from a CloudFormation stack, KMS schedules the KMS key for deletion and starts the mandatory waiting period. The PendingWindowInDays property determines the length of waiting period. During the waiting period, the key state of KMS key is Pending Deletion or Pending Replica De
Tags?arrayAssigns one or more tags to the replica key. Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see [ABAC for](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *Developer Guide*. For information about tags in KMS, see [Tagging keys](https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html) in the *Developer Guide*. For information about tags in CloudFormation, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/lates
BypassPolicyLockoutSafetyCheck?booleanSkips ("bypasses") the key policy lockout safety check. The default value is false. Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately. For more information, see [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html#prevent-unmanageable-key) in the *Developer Guide*. Use this parameter only when you intend to prevent the principal that is making the request from making a
RotationPeriodInDays?numberSpecifies a custom period of time between each rotation date. If no value is specified, the default value is 365 days. The rotation period defines the number of days after you enable automatic key rotation that KMS will rotate your key material, and the number of days between each automatic rotation thereafter. You can use the [kms:RotationPeriodInDays](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-rotation-period-in-days) condition key to further const
createCreate a KMS Key
getGet a KMS Key
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS Key
updateUpdate a KMS Key
deleteDelete a KMS Key
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS Key
syncSync KMS Key state from AWS

Resources

state(infinite)— KMS Key resource state
@swamp/aws/kms/replica-keyv2026.04.23.2replica_key.ts

Global Arguments

ArgumentTypeDescription
namestringInstance name for this resource (used as the unique identifier in the factory pattern)
Description?stringA description of the AWS KMS key. Use a description that helps you to distinguish this AWS KMS key from others in the account, such as its intended use.
PendingWindowInDays?numberSpecifies the number of days in the waiting period before AWS KMS deletes an AWS KMS key that has been removed from a CloudFormation stack. Enter a value between 7 and 30 days. The default value is 30 days.
KeyPolicystringThe key policy that authorizes use of the AWS KMS key. The key policy must observe the following rules.
PrimaryKeyArnstringIdentifies the primary AWS KMS key to create a replica of. Specify the Amazon Resource Name (ARN) of the AWS KMS key. You cannot specify an alias or key ID. For help finding the ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.
Enabled?booleanSpecifies whether the AWS KMS key is enabled. Disabled AWS KMS keys cannot be used in cryptographic operations.
Tags?arrayAn array of key-value pairs to apply to this resource.
createCreate a KMS ReplicaKey
getGet a KMS ReplicaKey
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS ReplicaKey
updateUpdate a KMS ReplicaKey
deleteDelete a KMS ReplicaKey
ArgumentTypeDescription
identifierstringThe primary identifier of the KMS ReplicaKey
syncSync KMS ReplicaKey state from AWS

Resources

state(infinite)— KMS ReplicaKey resource state