Creates a new CMK.
This method creates a new CMK of the specified KeySpec, and returns its Amazon resource name (ARN). The new CMK's Id is the last part of the returned ARN; for example, if the ARN is arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab, then the CMK's Id is 1234abcd-12ab-34cd-56ef-1234567890ab.
The KeySpec parameter specifies the type of CMK that should be created. To create a symmetric key, pass SYMMETRIC_DEFAULT (or empty string); this will create a key using a symmetric algorithm based on AES-256-GCM. To create an asymmetric key, pass one of the following strings instead:
- ECC_NIST_P256 (secp256r1)
- ECC_NIST_P384 (secp384r1)
- ECC_NIST_P521 (secp521r1)
- ECC_SECG_P256K1 (secp256k1)
The ForSigning parameter specifies whether the new CMK should be for encryption and decryption () or signing and verification (). However, this is only applicable for RSA key specs; symmetric keys are always for encryption/decryption, and elliptic curve key specs are always for signing/verification, so this parameter is ignored if one of those specs is passed for KeySpec.
The Description parameter specifies the CMK's description. This description can be changed at any time using the UpdateKeyDescription method.
To create the CMK in a custom key store, set the CustomKeyStoreId configuration setting before calling this method. To set the CMK's key policy, set the CreateKeyPolicy configuration setting before calling this method. Refer to these configuration settings for more information.