kmsArn property

String? kmsArn

The Amazon resource name (ARN) used to identify the customer managed key (CMK) in AWS Key Management Service (KMS). The KmsArn must be unique for each key signing key (KSK) in a single hosted zone.

You must configure the CMK as follows:

Status

Enabled

Key spec

ECC_NIST_P256

Key usage

Sign and verify

Key policy

The key policy must give permission for the following actions:

• DescribeKey
• GetPublicKey
• Sign

The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following:

• "Service": "api-service.dnssec.route53.aws.internal"

For more information about working with the customer managed key (CMK) in KMS, see AWS Key Management Service concepts.

Implementation

final String? kmsArn;