KMS

Symmetric and asymmetric keys, data keys, encrypt/decrypt, grants, aliases.

JSON-RPC (X-Amz-Target) multi-tenant 27 operations

Quick start

import boto3
kms = boto3.client("kms", endpoint_url="http://localhost:4566",
                   region_name="us-east-1",
                   aws_access_key_id="test", aws_secret_access_key="test")
k = kms.create_key()["KeyMetadata"]
ct = kms.encrypt(KeyId=k["KeyId"], Plaintext=b"secret")["CiphertextBlob"]
print(kms.decrypt(CiphertextBlob=ct)["Plaintext"])

Supported operations

27 operations exposed by this service as of MiniStack 1.3.14. Extracted directly from the handler dispatch in the source module.

CancelKeyDeletion CreateAlias CreateKey Decrypt DeleteAlias DescribeKey DisableKey DisableKeyRotation EnableKey EnableKeyRotation Encrypt GenerateDataKey GenerateDataKeyWithoutPlaintext GetKeyPolicy GetKeyRotationStatus GetPublicKey ListAliases ListKeyPolicies ListKeys ListResourceTags PutKeyPolicy ScheduleKeyDeletion Sign TagResource UntagResource UpdateAlias Verify

CloudFormation

The CloudFormation engine provisions these resource types via this service:

AWS::KMS::Key AWS::KMS::Alias

See CloudFormation engine for intrinsic support and lifecycle details.

Known limitations

S3 SSE-KMS integration is not implemented — the key is tracked but objects are stored unencrypted.
HSM / CustomKeyStore operations are metadata only.

Source

ministack/services/kms.py:921-981

Read the source to verify the ops list above — dispatch tables and handler functions are the ground truth.

See also: all services · configuration · limitations.