AWS CloudFormation
User Guide (Version )

AWS::KMS::Alias

The AWS::KMS::Alias resource specifies a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS). You can use an alias to identify a CMK in cryptographic operations.

Using an alias to refer to a CMK can help you simplify key management. For example, an alias in your code can map to different CMKs in different AWS Regions. For more information, see Working with Aliases in the AWS Key Management Service Developer Guide.

When specifying an alias, observe the following rules.

  • Each alias can point to only one CMK, but multiple aliases can point to the same CMK.

  • The alias and the CMK it points to must be in the same AWS account and Region.

  • The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions. For example, you can have an alias/projectKey in multiple Regions, each of which points to a CMK in that Region.

  • Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for AWS managed CMKs.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::KMS::Alias", "Properties" : { "AliasName" : String, "TargetKeyId" : String } }

YAML

Type: AWS::KMS::Alias Properties: AliasName: String TargetKeyId: String

Properties

AliasName

Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias. The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.

Required: Yes

Type: String

Minimum: 1

Maximum: 256

Pattern: ^[a-zA-Z0-9:/_-]+$

Update requires: Replacement

TargetKeyId

Identifies the CMK to which the alias refers. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. You cannot specify another alias. For help finding the key ID and ARN, see Finding the Key ID and ARN in the AWS Key Management Service Developer Guide.

Required: Yes

Type: String

Minimum: 1

Maximum: 2048

Update requires: No interruption

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alias name, such as alias/exampleAlias.

For more information about using the Ref function, see Ref.

Examples

Create an alias

The following examples create the alias/exampleAlias alias for a CMK. The CMK is identified by referencing its resource name. Before using these examples, replace the example target key ID with a valid value.

JSON

"myAlias" : { "Type" : "AWS::KMS::Alias", "Properties" : { "AliasName" : "alias/exampleAlias", "TargetKeyId" : {"Ref": "myKey"} } }

YAML

myAlias: Type: AWS::KMS::Alias Properties: AliasName: alias/exampleAlias TargetKeyId: Ref: myKey

See Also

  • CreateAlias in the AWS Key Management Service API Reference.