AWS::KMS::Alias - AWS CloudFormation

AWS::KMS::Alias

The AWS::KMS::Alias resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.

Note

Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in AWS KMS in the AWS Key Management Service Developer Guide.

Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS Regions. For more information, see Using aliases in the AWS Key Management Service Developer Guide.

When specifying an alias, observe the following rules.

  • Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.

  • The alias and its associated KMS key must be in the same AWS account and Region.

  • The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions. For example, you can have an alias/projectKey in multiple Regions, each of which is associated with a KMS key in its Region.

  • Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for AWS managed keys.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::KMS::Alias", "Properties" : { "AliasName" : String, "TargetKeyId" : String } }

YAML

Type: AWS::KMS::Alias Properties: AliasName: String TargetKeyId: String

Properties

AliasName

Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias.

Note

If you change the value of a Replacement property, such as AliasName, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC).

The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed keys.

Pattern: alias/^[a-zA-Z0-9/_-]+$

Minimum: 1

Maximum: 256

Required: Yes

Type: String

Update requires: Replacement

TargetKeyId

Associates the alias with the specified customer managed key. The KMS key must be in the same AWS account and Region.

A valid key ID is required. If you supply a null or empty string value, this operation returns an error.

For help finding the key ID and ARN, see Finding the key ID and ARN in the AWS Key Management Service Developer Guide.

Specify the key ID or the key ARN of the KMS key.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

Required: Yes

Type: String

Minimum: 1

Maximum: 2048

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alias name, such as alias/exampleAlias.

For more information about using the Ref function, see Ref.

Examples

Create an alias

The following examples create the alias/exampleAlias alias for a KMS key. The KMS key is identified by a reference to its CloudFormation resource name. Before using these examples, replace the example target key ID and example alias with valid values.

JSON

{ "myAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/exampleAlias", "TargetKeyId": { "Ref": "myKey" } } } }

YAML

myAlias: Type: 'AWS::KMS::Alias' Properties: AliasName: alias/exampleAlias TargetKeyId: !Ref myKey

See also