CreateKeySigningKeyRequest
import type { CreateKeySigningKeyRequest } from "https://aws-api.deno.dev/v0.4/services/route53.ts?docs=full";
§Properties
The Amazon resource name (ARN) for a customer managed key in Key Management Service (KMS).
The KeyManagementServiceArn
must be unique for each key-signing key (KSK) in a single hosted zone.
To see an example of KeyManagementServiceArn
that grants the correct permissions for DNSSEC, scroll down to Example.
You must configure the customer managed customer managed key as follows:
Status: Enabled
Key spec: ECC_NIST_P256
Key usage: Sign and verify
Key policy: The key policy must give permission for the following actions: - DescribeKey - GetPublicKey - Sign The key policy must also include the Amazon Route 53 service in the principal for your account. Specify the following: - "Service": "dnssec-route53.amazonaws.com"
For more information about working with a customer managed key in KMS, see Key Management Service concepts.