keySpec
Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, creates a KMS key with a 256-bit AES-GCM key that is used for encryption and decryption, except in China Regions, where it creates a 128-bit symmetric key that uses SM4 encryption. For help choosing a key spec for your KMS key, see Choosing a KMS key type in the Key Management Service Developer Guide.
The KeySpec determines whether the KMS key contains a symmetric key or an asymmetric key pair. It also determines the algorithms that the KMS key supports. You can't change the KeySpec after the KMS key is created. To further restrict the algorithms that can be used with the KMS key, use a condition key in its key policy or IAM policy. For more information, see kms:EncryptionAlgorithm, kms:MacAlgorithm or kms:Signing Algorithm in the Key Management Service Developer Guide.
Amazon Web Services services that are integrated with KMS use symmetric encryption KMS keys to protect your data. These services do not support asymmetric KMS keys or HMAC KMS keys.
KMS supports the following key specs for KMS keys:
Symmetric encryption key (default)
SYMMETRIC_DEFAULTHMAC keys (symmetric)
HMAC_224HMAC_256HMAC_384HMAC_512Asymmetric RSA key pairs
RSA_2048RSA_3072RSA_4096Asymmetric NIST-recommended elliptic curve key pairs
ECC_NIST_P256(secp256r1)ECC_NIST_P384(secp384r1)ECC_NIST_P521(secp521r1)Other asymmetric elliptic curve key pairs
ECC_SECG_P256K1(secp256k1), commonly used for cryptocurrencies.SM2 key pairs (China Regions only)
SM2