AWS::KMS::Alias - AWS CloudFormation

AWS::KMS::Alias

The AWS::KMS::Alias resource specifies a display name for a customer master key (CMK) in AWS Key Management Service (AWS KMS). You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.

Note

Adding, deleting, or updating an alias can allow or deny permission to the CMK. For details, see Using ABAC in AWS KMS in the AWS Key Management Service Developer Guide.

Using an alias to refer to a CMK can help you simplify key management. For example, an alias in your code can be associated with different CMKs in different AWS Regions. For more information, see Using aliases in the AWS Key Management Service Developer Guide.

When specifying an alias, observe the following rules.

  • Each alias is associated with one CMK, but multiple aliases can be associated with the same CMK.

  • The alias and its associated CMK must be in the same AWS account and Region.

  • The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions. For example, you can have an alias/projectKey in multiple Regions, each of which is associated with a CMK in its Region.

  • Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for AWS managed CMKs.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::KMS::Alias", "Properties" : { "AliasName" : String, "TargetKeyId" : String } }

YAML

Type: AWS::KMS::Alias Properties: AliasName: String TargetKeyId: String

Properties

AliasName

Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias.

Note

If you change the value of a Replacement property, such as AliasName, the existing alias is deleted and a new alias is created for the specified CMK. This change can disrupt applications that use the alias. It can also allow or deny access to a CMK affected by attribute-based access control (ABAC).

The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.

Pattern: alias/^[a-zA-Z0-9/_-]+$

Minimum: 1

Maximum: 256

Required: Yes

Type: String

Update requires: Replacement

TargetKeyId

Associates the alias with the specified customer managed CMK. The CMK must be in the same AWS account and Region.

A valid CMK ID is required. If you supply a null or empty string value, this operation returns an error.

For help finding the key ID and ARN, see Finding the key ID and ARN in the AWS Key Management Service Developer Guide.

Specify the key ID or the key ARN of the CMK.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey.

Required: Yes

Type: String

Minimum: 1

Maximum: 2048

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alias name, such as alias/exampleAlias.

For more information about using the Ref function, see Ref.

Examples

Create an alias

The following examples create the alias/exampleAlias alias for a CMK. The CMK is identified by a reference to its CloudFormation resource name. Before using these examples, replace the example target key ID and example alias with valid values.

JSON

{ "myAlias": { "Type": "AWS::KMS::Alias", "Properties": { "AliasName": "alias/exampleAlias", "TargetKeyId": { "Ref": "myKey" } } } }

YAML

myAlias: Type: 'AWS::KMS::Alias' Properties: AliasName: alias/exampleAlias TargetKeyId: !Ref myKey

See also