Menu
AWS Key Management Service
Developer Guide

Creating Keys

You can use the IAM section of the AWS Management Console to create a customer master key (CMK). You can also use the CreateKey operation in the AWS KMS API.

To create a new CMK in the AWS Management Console

  1. Open the Encryption keys section of the AWS Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/home#encryptionKeys.

  2. For Region, choose the appropriate AWS Region. Do not use the region selector in the navigation bar (top right corner).

  3. Choose Create key.

  4. Type an alias for the CMK. An alias cannot begin with aws. Aliases that begin with aws are reserved by Amazon Web Services to represent AWS-managed CMKs in your account.

    An alias is a display name that you can use to identify the CMK. We recommend that you choose an alias that indicates the type of data you plan to protect or the application you plan to use with the CMK.

  5. (Optional) Type a description for the CMK.

    We recommend that you choose a description that explains the type of data you plan to protect or the application you plan to use with the CMK.

  6. Choose Next Step.

  7. (Optional) Type a tag key and an optional tag value. To add more than one tag to the CMK, choose Add tag.

  8. Choose Next Step.

  9. Select which IAM users and roles can administer the CMK.

    Note

    The AWS account (root user) has full permissions by default. As a result, any IAM users and roles whose attached policies allow the appropriate permissions can also administer the CMK.

  10. (Optional) To prevent the IAM users and roles that you chose in the previous step from deleting this CMK, clear the box at the bottom of the page for Allow key administrators to delete this key.

  11. Choose Next Step.

  12. Select which IAM users and roles can use the CMK to encrypt and decrypt data with the AWS KMS API.

    Note

    The AWS account (root user) has full permissions by default. As a result, any IAM users and roles whose attached policies allow the appropriate permissions can also use the CMK.

  13. (Optional) You can use the controls at the bottom of the page to specify other AWS accounts that can use this CMK to encrypt and decrypt data. To do so, choose Add an External Account and then type the intended AWS account ID. Repeat as necessary to add more than one external account.

    Note

    Administrators of the external accounts must also allow access to the CMK by creating IAM policies for their users. For more information, see Allowing External AWS Accounts to Access a CMK.

  14. Choose Next Step.

  15. Choose Finish to create the CMK.

Tip

To refer to your new CMK programmatically and in command line interface operations, you need a key ID or key ARN. The key ID is displayed in the Encryption keys section of the AWS Identity and Access Management (IAM) console. To find the key ARN, in the Encryption keys section, choose the region, then choose the CMK alias. For details, see Viewing Keys. You can also find the CMK ID and ARN by using the ListKeys operation in the AWS KMS API.