AgentSkillsCN

aws-cli-kms

在使用AWS KMS命令时——加密密钥、密钥策略、授权、别名、加解密、密钥轮转、多区域密钥、自定义密钥存储。在创建与管理KMS密钥(对称、非对称、HMAC)、加密与解密数据、签署与验证数字签名、管理密钥策略与授权、创建与管理密钥别名、配置自动密钥轮转、设置多区域密钥、管理自定义密钥存储,或导入外部密钥材料时使用此技能。

SKILL.md
--- frontmatter
name: aws-cli-kms
description: Use when working with AWS KMS commands — encryption keys, key policies, grants, aliases, encryption/decryption, key rotation, multi-region keys, custom key stores. Use this skill when creating and managing KMS keys (symmetric, asymmetric, HMAC), encrypting and decrypting data, signing and verifying digital signatures, managing key policies and grants, creating and managing key aliases, configuring automatic key rotation, setting up multi-region keys, managing custom key stores, or importing external key material.

AWS CLI v2 — KMS (Key Management Service)

Overview

Complete reference for all aws kms subcommands in AWS CLI v2. Covers symmetric and asymmetric key creation, key policies, grants, aliases, encrypt/decrypt/sign/verify operations, automatic key rotation, multi-region keys, custom key stores (CloudHSM), and key material import.

Quick Reference — Common Workflows

Create a symmetric encryption key

bash
aws kms create-key --description "My encryption key" \
  --key-usage ENCRYPT_DECRYPT --key-spec SYMMETRIC_DEFAULT
aws kms create-alias --alias-name alias/my-key --target-key-id <key-id>

Encrypt and decrypt data

bash
aws kms encrypt --key-id alias/my-key --plaintext fileb://plaintext.txt \
  --output text --query CiphertextBlob | base64 --decode > encrypted.bin
aws kms decrypt --ciphertext-blob fileb://encrypted.bin \
  --output text --query Plaintext | base64 --decode > decrypted.txt

Generate a data key for envelope encryption

bash
aws kms generate-data-key --key-id alias/my-key --key-spec AES_256

Enable automatic key rotation

bash
aws kms enable-key-rotation --key-id <key-id>
aws kms get-key-rotation-status --key-id <key-id>

List all keys and aliases

bash
aws kms list-keys --query 'Keys[].KeyId'
aws kms list-aliases --query 'Aliases[].{Alias:AliasName,Key:TargetKeyId}'

Covered Command Groups

GroupCommandsDescription
Keyscreate-key, describe-key, list-keys, enable-key, disable-key, schedule/cancel-key-deletionKey lifecycle
Cryptographic Opsencrypt, decrypt, re-encrypt, generate-data-key, generate-data-key-without-plaintext, generate-random, sign, verify, generate-mac, verify-macData operations
Key Policiesget/put-key-policy, list-key-policiesAccess control
Grantscreate-grant, list-grants, list-retirable-grants, retire-grant, revoke-grantDelegated access
Aliasescreate-alias, delete-alias, list-aliases, update-aliasFriendly names
Rotationenable/disable-key-rotation, get-key-rotation-status, rotate-key-on-demandKey rotation
Multi-Regionreplicate-key, update-primary-regionCross-region keys
Custom Key Storescreate/delete/describe/update/connect/disconnect-custom-key-storeCloudHSM-backed
Import Key Materialget-parameters-for-import, import-key-material, delete-imported-key-materialExternal keys
Tagstag-resource, untag-resource, list-resource-tagsResource tagging

Command Reference

See references/index.md for the quick reference table and global options.

GroupFileCommands
Key Managementkey-management.mdcreate-key, describe-key, list-keys, enable-key, disable-key, schedule-key-deletion, cancel-key-deletion, get-key-policy, put-key-policy, list-key-policies, get-public-key, update-key-description
Cryptographic Operationscryptographic-operations.mdencrypt, decrypt, re-encrypt, generate-data-key, generate-data-key-without-plaintext, generate-data-key-pair, generate-data-key-pair-without-plaintext, generate-random, sign, verify, generate-mac, verify-mac, derive-shared-secret
Grantsgrants.mdcreate-grant, list-grants, list-retirable-grants, retire-grant, revoke-grant
Aliasesaliases.mdcreate-alias, delete-alias, list-aliases, update-alias
Key Rotationkey-rotation.mdenable-key-rotation, disable-key-rotation, get-key-rotation-status, list-key-rotations, rotate-key-on-demand
Multi-Region Keysmulti-region-keys.mdreplicate-key, update-primary-region
Custom Key Storescustom-key-stores.mdcreate-custom-key-store, delete-custom-key-store, describe-custom-key-stores, update-custom-key-store, connect-custom-key-store, disconnect-custom-key-store
Import Key Materialimport-key-material.mdget-parameters-for-import, import-key-material, delete-imported-key-material
Tagstags.mdtag-resource, untag-resource, list-resource-tags