Menu
AWS Key Management Service
Developer Guide

Tagging Keys

A tag is a label that you assign to an AWS resource. You can assign tags to your customer master keys (CMKs). Each tag consists of a tag key and a tag value, both of which you define. For example, the tag key might be "Cost Center" and the tag value might be "87654."

You can use tags for a variety of purposes. One common use is to categorize and track your AWS costs. You can apply tags that represent business categories (such as cost centers, application names, or owners) to organize your costs across multiple services. When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. You can use this report to view your AWS KMS costs in terms of projects or applications, instead of viewing all AWS KMS costs as a single line item.

For more information about using tags for cost allocation, see Using Cost Allocation Tags in the AWS Billing and Cost Management User Guide.

Managing Tags

You can manage tags for your CMKs using the IAM section of the AWS Management Console and the AWS KMS API.

You can also use the console's key details page to manage tags for a CMK. For more information, see Editing Keys. You can also add tags to a CMK when you create it. For information, see Creating Keys.

To manage tags for your CMKs (console)

  1. Open the Encryption Keys section of the Identity and Access Management (IAM) console at https://console.aws.amazon.com/iam/home#encryptionKeys.

  2. For Region, choose the appropriate AWS region. Do not use the region selector in the navigation bar (top right corner).

  3. Select the check box next to the alias of the CMK(s) whose tags you want to manage.

    Note

    You cannot tag AWS-managed CMKs, which are denoted by the orange AWS icon.

  4. Choose Key actions, Add or edit tags.

  5. Use the controls in the Add or edit tags window. When you're finished, choose Save.

    
            Add or edit tags window in the Encryption Keys section of the IAM
              console

To manage tags for your CMKs (AWS KMS API)

You can use the following operations in the AWS KMS API to manage tags for your CMKs.

The following examples show how to do this with the AWS Command Line Interface (AWS CLI).

To add or update tags

Use the tag-resource command as in the following example.

Copy
aws kms tag-resource --tags TagKey=Purpose,TagValue=Test --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

When this command is successful, it does not return any output.

To remove tags

Use the untag-resource command as in the following example.

Copy
aws kms untag-resource --tag-keys Purpose --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

When this command is successful, it does not return any output.

To list tags

Use the list-resource-tags command as in the following example.

Copy
aws kms list-resource-tags --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

When this command is successful, it returns a list of tags, as in the following example.

Copy
{ "Truncated": false, "Tags": [ { "TagKey": "CostCenter", "TagValue": "87654" }, { "TagKey": "CreatedBy", "TagValue": "ExampleUser" }, { "TagKey": "Purpose", "TagValue": "Test" } ] }

On this page: