keyManagementServiceArn property

String keyManagementServiceArn
final

The Amazon resource name (ARN) for a customer managed key (CMK) in AWS Key Management Service (KMS). The KeyManagementServiceArn must be unique for each key signing key (KSK) in a single hosted zone. To see an example of KeyManagementServiceArn that grants the correct permissions for DNSSEC, scroll down to Example.

You must configure the CMK as follows:

Status
Enabled
Key spec
ECC_NIST_P256
Key usage
Sign and verify
Key policy
The key policy must give permission for the following actions:
  • DescribeKey
  • GetPublicKey
  • Sign
The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:
  • "Service": "api-service.dnssec.route53.aws.internal"
For more information about working with CMK in KMS, see AWS Key Management Service concepts.

Implementation

final String keyManagementServiceArn;