keyManagementServiceArn property
The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key
Management Service (KMS). The KeyManagementServiceArn
must be
unique for each key signing key (KSK) in a single hosted zone. To see an
example of KeyManagementServiceArn
that grants the correct
permissions for DNSSEC, scroll down to Example.
You must configure the CMK as follows:
- Status
- Enabled
- Key spec
- ECC_NIST_P256
- Key usage
- Sign and verify
- Key policy
-
The key policy must give permission for the following actions:
- DescribeKey
- GetPublicKey
- Sign
-
"Service": "api-service.dnssec.route53.aws.internal"
Implementation
final String keyManagementServiceArn;