How to use the @aws-cdk/aws-kms.Key function in @aws-cdk/aws-kms
To help you get started, we’ve selected a few @aws-cdk/aws-kms examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
aws / aws-cdk / packages / @aws-cdk / aws-glue / lib / table.ts View on Github 
function createBucket(table: Table, props: TableProps) {
const encryption = props.encryption || TableEncryption.UNENCRYPTED;
let bucket = props.bucket;
if (bucket && (encryption !== TableEncryption.UNENCRYPTED && encryption !== TableEncryption.CLIENT_SIDE_KMS)) {
throw new Error('you can not specify encryption settings if you also provide a bucket');
}
let encryptionKey: kms.IKey | undefined;
if (encryption === TableEncryption.CLIENT_SIDE_KMS && props.encryptionKey === undefined) {
// CSE-KMS should behave the same as SSE-KMS - use the provided key or create one automatically
// Since Bucket only knows about SSE, we repeat the logic for CSE-KMS at the Table level.
encryptionKey = new kms.Key(table, 'Key');
} else {
encryptionKey = props.encryptionKey;
}
// create the bucket if none was provided
if (!bucket) {
if (encryption === TableEncryption.CLIENT_SIDE_KMS) {
bucket = new s3.Bucket(table, 'Bucket');
} else {
bucket = new s3.Bucket(table, 'Bucket', {
encryption: encryptionMappings[encryption],
encryptionKey
});
encryptionKey = bucket.encryptionKey;
}
}} {
// default to unencrypted.
const encryptionType = props.encryption || StreamEncryption.UNENCRYPTED;
// if encryption key is set, encryption must be set to KMS.
if (encryptionType !== StreamEncryption.KMS && props.encryptionKey) {
throw new Error(`encryptionKey is specified, so 'encryption' must be set to KMS (value: ${encryptionType})`);
}
if (encryptionType === StreamEncryption.UNENCRYPTED) {
return { streamEncryption: undefined, encryptionKey: undefined };
}
if (encryptionType === StreamEncryption.KMS) {
const encryptionKey = props.encryptionKey || new kms.Key(this, 'Key', {
description: `Created by ${this.node.path}`
});
const streamEncryption: CfnStream.StreamEncryptionProperty = {
encryptionType: 'KMS',
keyId: encryptionKey.keyArn
};
return { encryptionKey, streamEncryption };
}
throw new Error(`Unexpected 'encryptionType': ${encryptionType}`);
}
}constructor(scope: cdk.Construct, id: string) {
super(scope, id);
const encryptionKey = new kms.Key(this, 'CrossRegionCodePipelineReplicationBucketEncryptionKey', {
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
const encryptionAlias = new AliasWithShorterGeneratedName(this, 'CrossRegionCodePipelineReplicationBucketEncryptionAlias', {
targetKey: encryptionKey,
aliasName: cdk.PhysicalName.GENERATE_IF_NEEDED,
removalPolicy: cdk.RemovalPolicy.DESTROY,
});
this.replicationBucket = new s3.Bucket(this, 'CrossRegionCodePipelineReplicationBucket', {
bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED,
encryptionKey: encryptionAlias,
});
}
}if (encryption === QueueEncryption.UNENCRYPTED) {
return { encryptionProps: {} };
}
if (encryption === QueueEncryption.KMS_MANAGED) {
return {
encryptionProps: {
kmsMasterKeyId: 'alias/aws/sqs',
kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
}
};
}
if (encryption === QueueEncryption.KMS) {
const masterKey = props.encryptionMasterKey || new kms.Key(this, 'Key', {
description: `Created by ${this.node.path}`
});
return {
encryptionMasterKey: masterKey,
encryptionProps: {
kmsMasterKeyId: masterKey.keyArn,
kmsDataKeyReusePeriodSeconds: props.dataKeyReuse && props.dataKeyReuse.toSeconds()
}
};
}
throw new Error(`Unexpected 'encryptionType': ${encryption}`);
}
}@aws-cdk/aws-kms
The CDK Construct Library for AWS::KMS
