Required permissions: kms:Decrypt (key policy)Ĭiphertext to be decrypted. Parameter to identify a KMS key in a different AWS account, specify the key ARN or the alias Forĭetails, see Key states of AWS KMS keys in theĬross-account use: Yes. The KMS key that you use for this operation must be in a compatible key state. ( CiphertextForRecipient).For information about the interaction between AWS KMS and AWS Nitro Enclaves, see How AWS Nitro Enclaves uses AWS KMS in the Plaintext data encrypted with the public key from the attestation document Instead of the plaintext data, the response includes the Use the Recipient parameter to provide theĪttestation document for the enclave. The AWS Nitro Enclaves SDK or any AWS SDK. Isolated compute environment in Amazon EC2. For details, see Best practices for IAMĭecrypt also supports AWS Nitro Enclaves, which provide an If you must useĪn IAM policy for Decrypt permissions, limit the user to particular KMS keys or In other accounts if the key policy for the cross-account KMS key permits it.
This user could decrypt ciphertext that was encrypted by KMS keys Otherwise, you might create an &IAM policy that gives the user Decrypt Whenever possible, use key policies to give users permission to call theĭecrypt operation on a particular KMS key, instead of using &IAM policies. This practice ensures that you use the KMS key that
If the ciphertext was encrypted under a different KMS key,
When you use the KeyId parameter to specify a KMS key, AWS KMS However, specifying the KMS key is always recommended asĪ best practice. This feature adds durability to your implementationīy ensuring that authorized users can decrypt ciphertext decades after it was encrypted, even It adds to the symmetric ciphertext blob. AWS KMS can get this information from metadata that If the ciphertext was encrypted under a symmetric encryption KMS key, the These libraries return a ciphertext format that is incompatible with AWS KMS. However, it cannot decrypt symmetricĬiphertext produced by other libraries, such as the AWS Encryption SDK or Amazon S3 client-side encryption. The Decrypt operation also decrypts ciphertext that was encrypted outside ofĪWS KMS by the public key in an AWS KMS asymmetric KMS key. Must specify the KMS key and the encryption algorithm that was used to encrypt the ciphertext.įor information about asymmetric KMS keys, see Asymmetric KMS keys in theĪWS Key Management Service Developer Guide. You can use this operation to decrypt ciphertext that was encrypted under a symmetricĮncryption KMS key or an asymmetric encryption KMS key.
0 kommentar(er)
