Menu
AWS Key Management Service
Developer Guide

Creating Keys

You can use the IAM section of the AWS Management Console to create a customer master key (CMK).

To create a new CMK

  1. Open the Encryption Keys section of the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/home#encryptionKeys.

  2. For Filter, choose the appropriate AWS region. Do not use the region selector in the menu bar (top right corner).

  3. Choose Create Key.

  4. Type an alias for the CMK.

    Note

    The alias is a display name that you can use to easily identify the CMK. We recommend that you choose an alias that indicates the type of data you will protect or the application you will use with the CMK. The alias must be between 1 and 32 characters (inclusive) and may contain alphanumeric characters, hyphens (-), forward slashes (/), and underscores (_). An alias cannot begin with aws. Aliases that begin with aws are reserved by Amazon Web Services to represent AWS-managed CMKs in your account.

  5. Type a description for the CMK.

    Note

    The description can be up to 256 characters and should describe what the CMK will be used to encrypt.

  6. Choose Next Step.

  7. Select which IAM users and roles can administer the CMK.

    Note

    The AWS account (root user) has full permissions by default. As a result, any IAM users and roles whose attached policies specify the appropriate permissions can also administer the CMK.

    Choose Next Step.

  8. Select which IAM users and roles can use the CMK to encrypt and decrypt data with the AWS KMS API.

    Note

    The AWS account (root user) has full permissions by default. As a result, any IAM users and roles whose attached policies specify the appropriate permissions can also use the CMK.

  9. (Optional) At the bottom of the page, you can also identify other AWS accounts that can use this CMK to encrypt and decrypt data. Choose Add an External Account and then type the ID of the account that can use this CMK. Repeat as necessary to add more than one external account.

    Note

    Administrators of the external accounts must also allow access to the CMK by creating IAM policies for their users. For more information, see Allowing External AWS Accounts to Access a CMK.

  10. Choose Next Step.

  11. Choose Finish to create the CMK.