My Saved Presets
You must be logged in to view saved presets

Loading Library ...

Asymmetric KMS Key for Signing and Verification

Creates an asymmetric KMS key specifically for signing and verification tasks with detailed key administration policies.

example

aws_kms_key





depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



current

aws_caller_identity

depends_on


lifecycle

ignore_changes

replace_triggered_by

precondition


postcondition



Terraform Template

data "aws_caller_identity" "current" {
}

resource "aws_kms_key" "example" {
  customer_master_key_spec = "RSA_3072"
  description = "RSA-3072 asymmetric KMS key for signing and verification"
  enable_key_rotation = false
  key_usage = "SIGN_VERIFY"
  policy = jsonencode({
 Version = "2012-10-17"
 Id = "key-default-1"
 Statement = [
 {
 Sid = "Enable IAM User Permissions"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
 },
 Action = "kms:*"
 Resource = "*"
 },
 {
 Sid = "Allow administration of the key"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Admin"
 },
 Action = [
 "kms:Create*",
 "kms:Describe*",
 "kms:Enable*",
 "kms:List*",
 "kms:Put*",
 "kms:Update*",
 "kms:Revoke*",
 "kms:Disable*",
 "kms:Get*",
 "kms:Delete*",
 "kms:ScheduleKeyDeletion",
 "kms:CancelKeyDeletion"
 ],
 Resource = "*"
 },
 {
 Sid = "Allow use of the key"
 Effect = "Allow"
 Principal = {
 AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/Developer"
 },
 Action = [
 "kms:Sign",
 "kms:Verify",
 "kms:DescribeKey"
 ],
 Resource = "*"
 }
 ]
 })
}

© 2025 asecurecloud. All rights reserved.