Using aliases - AWS Key Management Service

Using aliases

An alias is a friendly name for a customer master key (CMK). For example, an alias lets you refer to a CMK as test-key instead of 1234abcd-12ab-34cd-56ef-1234567890ab.

You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Encrypt and GenerateDataKey.

Aliases also make it easy to recognize an AWS managed CMKs. Aliases for these CMKs always have the form: aws/<service-name>. For example, the alias for the AWS managed CMK for Amazon DynamoDB is aws/dynamodb. You can establish similar alias standards for your projects, such as prefacing your aliases with the name of a project or category.

Much of the power of aliases come from your ability to change the CMK associated with an alias at any time. Aliases can make your code easier to write and maintain. For example, suppose you use an alias to refer to a particular CMK and you want to change the CMK. In that case, just associate the alias with a different CMK. You don't need to change your code.

Aliases also make it easier to reuse the same code in different AWS Regions. Create aliases with the same name in multiple Regions and associate each alias with a CMK in its Region. When the code runs in each Region, the alias refers to its associated CMK in that Region. For an example, see Using aliases in your applications.

The AWS KMS API provides full control of aliases in each account and Region. The API includes operations to create an alias (CreateAlias), view alias names and alias ARNs (ListAliases), change the CMK associated with an alias (UpdateAlias), and delete an alias (DeleteAlias). For examples of managing aliases multiple programming languages, see Working with aliases.

The following resources can help you learn more:

About aliases

Learn how aliases work in AWS KMS.

An alias is an independent AWS resource

An alias is not a property of a CMK. The actions that you take on the alias don't affect its associated CMK. You can create an alias for a CMK and then update the alias so it's associated with a different CMK. You can even delete the alias without any effect on the associated CMK. However, if you delete a CMK, all aliases associated with that CMK are deleted.

If you specify an alias as the resource in an IAM policy, the policy refers to the alias, not to the associated CMK.

Each alias has two formats

When you create an alias, you specify the alias name. AWS KMS creates the alias ARN for you.

  • An alias ARN is an Amazon Resource Name (ARN) that uniquely identifies the alias.

    # Alias ARN arn:aws:kms:us-west-2:111122223333:alias/<alias-name>
  • An alias name that is unique in the account and Region. In the AWS KMS APIs, the alias name is always prefixed by alias/. That prefix is omitted in the AWS KMS console.

    # Alias name alias/<alias-name>
Each alias is associated with one CMK at a time

The alias and its CMK must be in the same account and Region.

You can associate an alias with any customer managed CMK in the same AWS account and Region. However, you do not have permission to associate an alias with an AWS managed CMK.

For example, this ListAliases output shows that the test-key alias is associated with exactly one target CMK, which is represented by the TargetKeyId property.

{ "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }
Multiple aliases can be associated with the same CMK

For example, you can associate the test-key and project-key aliases with the same CMK.

{ "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, { "AliasName": "alias/project-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/project-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }
An alias must be unique in an account and Region

For example, you can have only one test-key alias in each account and Region. Aliases are case-sensitive, but aliases that differ only in their capitalization are very prone to error. You cannot change an alias name. However, you can delete the alias and create a new alias with the desired name.

You can create an alias with the same name in different Regions

For example, you can have a finance-key alias in US East (N. Virginia) and a finance-key alias in Europe (Frankfurt). Each alias would be associated with a CMK in its Region. If your code refers to an alias name like alias/finance-key, you can run it in multiple Regions. In each Region, it uses a different CMK. For details, see Using aliases in your applications.

You can change the CMK associated with an alias

You can use the UpdateAlias operation to associate an alias with a different CMK. For example, if the finance-key alias is associated with the 1234abcd-12ab-34cd-56ef-1234567890ab CMK, you can update it so it is associated with the 0987dcba-09fe-87dc-65ba-ab0987654321 CMK.

However, the current and new CMK must be the same type (both symmetric or both asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents errors in code that uses aliases. If you must associate an alias with a different type of key, and you have mitigated the risks, you can delete and recreate the alias.

Some CMKs don't have aliases

When you create a CMK in the AWS KMS console, you must give it a new alias. But an alias is not required when you use the CreateKey operation to create a CMK. Also, you can use the UpdateAlias operation to change the CMK that's associated with an alias and theDeleteAlias operation to delete an alias. As a result, some CMKs might have several aliases, and some might have none.

AWS creates aliases in your account

AWS creates aliases in your account for AWS managed CMKs. These aliases have names of the form alias/aws/<service-name>, such as alias/aws/s3.

Some AWS aliases have no CMK. These predefined aliases are usually associated with an AWS managed CMK when you start using the service. Aliases that AWS creates in your account, including predefined aliases, do not count against your AWS KMS aliases quota.

Use aliases to identify CMKs

You can use an alias name or alias ARN to identify a CMK in AWS KMS cryptographic operations and in the DescribeKey operation. However, you cannot use an alias name or alias ARN in API operations that manage CMKs, such as DisableKey or GetKeyPolicy. For information about the valid key identifiers for each AWS KMS API operation, see the descriptions of the KeyId parameters in the AWS Key Management Service API Reference.

You cannot use an alias name or alias ARN to identify a CMK in the Resource element of an IAM policy. This restriction prevents errors that might occur if you intended to control access to a particular CMK, but the alias is deleted or updated to a different CMK.

Creating an alias

You can create aliases in the AWS KMS console or by using AWS KMS API operations.

The alias must be string of 1–256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name for a customer managed CMK cannot begin with alias/aws/. The alias/aws/ prefix is reserved for AWS managed CMKs.

You can create an alias for a new CMK or for an existing CMK. You might add an alias so that a particular CMK is used in a project or application.

Create an alias (console)

When you create a CMK in the AWS KMS console, you must create an alias for the new CMK. To create an alias for an existing CMK, use the Aliases tab on the detail page for the CMK.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. You cannot manage aliases for AWS managed CMKs or AWS owned CMKs.

  4. In the table, choose the key ID or alias of the CMK. Then, on the CMK detail page, choose the Aliases tab.

    If a CMK has multiple aliases, the Aliases column in the table displays one alias and an alias summary, such as (+n more). Choosing the alias summary takes you directly to the Aliases tab on the CMK detail page.

  5. On the Aliases tab, choose Create alias. Enter an alias name and choose Create alias.

    Note

    In the console, you're not required to specify the alias/ prefix. The console adds it for you. If you enter alias/ExampleAlias, the actual alias name will be alias/alias/ExampleAlias.

Create an alias (AWS KMS API)

To create an alias, use the CreateAlias operation. Unlike the process of creating CMKs in the console, the CreateKey operation doesn't create an alias for a new CMK.

You can use the CreateAlias operation to create an alias for a new CMK with no alias. You can also use the CreateAlias operation to add an alias to any existing CMK or to recreate an alias that was accidentally deleted.

In the AWS KMS API operations, the alias name must begin with alias/ followed by a name, such as alias/ExampleAlias. The alias must be unique in the account and Region. To find the alias names that are already in use, use the ListAliases operation. The alias name is case sensitive.

The TargetKeyId can be any customer managed CMK in the same AWS Region. To identify the CMK, use its key ID or key ARN. You cannot use another alias.

The following example creates the example-key alias and associates it with the specified CMK. These examples use the AWS Command Line Interface (AWS CLI). For examples in multiple programming languages, see Working with aliases.

$ aws kms create-alias \ --alias-name alias/example-key \ --target-key-id 1234abcd-12ab-34cd-56ef-1234567890ab

CreateAlias doesn't return any output. To see the new alias, use the ListAliases operation. For details, see Viewing aliases (AWS KMS API).

Viewing aliases

Aliases make it easy to recognize CMKs in the AWS KMS console. You can view the aliases for a CMK in the AWS KMS console or by using the ListAliases operation. The DescribeKey operation, which returns the properties of a CMK, doesn't include aliases.

Viewing aliases (console)

The Customer managed keys and AWS managed keys pages in the AWS KMS console display the alias associated with each CMK. You can also search, sort, and filter CMKs based on their aliases.

The following image of the AWS KMS console shows the aliases on the Customer managed keys page of an example account. As shown in the image, some CMKs don't have an alias.

When a CMK has multiple aliases, the Aliases column displays one alias and an alias summary (+n more). The alias summary shows how many additional aliases are associated with the CMK and links to the display of all aliases for the CMK on the Aliases tab.


          Aliases in the Customer managed keys page of the AWS KMS
            console

The Aliases tab on the details page for each CMK displays the alias name and alias ARN of all aliases for the CMK in the account and AWS Region. You can also use the Aliases tab to create aliases and delete aliases.

To find the alias name and alias ARN of all aliases for the CMK, use the Aliases tab.

  • To go directly to the Aliases tab, in the Aliases column, choose the alias summary (+n more). An alias summary appears only if the CMK has more than one alias.

  • Or, choose the alias or key ID of the CMK (which opens the detail page for the CMK) and then choose the Aliases tab. The tabs are under the General configuration section.

The following image shows the Aliases tab for an example CMK.

You can use the alias to recognize an AWS managed CMK, as shown in this example AWS managed keys page. The aliases for AWS managed CMKs always have the format: aws/<service-name>. For example, the alias for the AWS managed CMK for Amazon DynamoDB is aws/dynamodb.


          Aliases in the AWS managed keys page of the AWS KMS
            console

Viewing aliases (AWS KMS API)

The ListAliases operation returns the alias name and alias ARN of aliases in the account and Region. The output includes aliases for AWS managed CMKs and for customer managed CMKs. The aliases for AWS managed CMKs have the format aws/<service-name>, such as aws/dynamodb.

The response might also include aliases that have no TargetKeyId field. These are predefined aliases that AWS has created but has not yet associated with a CMK. Aliases that AWS creates in your account, including predefined aliases, do not count against your AWS KMS aliases quota.

$ aws kms list-aliases { "Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, { "AliasName": "alias/ECC-P521-Sign", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ECC-P521-Sign", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" }, { "AliasName": "alias/ImportedKey", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/ImportedKey", "TargetKeyId": "1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d" }, { "AliasName": "alias/finance-project", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/finance-project", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, { "AliasName": "alias/aws/dynamodb", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/dynamodb", "TargetKeyId": "0987ab65-43cd-21ef-09ab-87654321cdef" }, { "AliasName": "alias/aws/ebs", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/aws/ebs", "TargetKeyId": "abcd1234-09fe-ef90-09fe-ab0987654321" } ] }

To get all aliases that are associated with a particular CMK, use the optional KeyId parameter of the ListAliases operation. The KeyId parameter takes the key ID or key ARN of the CMK.

This example gets all aliases associated with the 0987dcba-09fe-87dc-65ba-ab0987654321 CMK.

$ aws kms list-aliases --key-id 0987dcba-09fe-87dc-65ba-ab0987654321 { "Aliases": [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" }, { "AliasName": "alias/finance-project", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/finance-project", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" } ] }

The KeyId parameter doesn't take wildcard characters, but you can use the features of your programming language to filter the response.

For example, the following AWS CLI command gets only the aliases for AWS managed CMKs.

$ aws kms list-aliases --query 'Aliases[?starts_with(AliasName, `alias/aws/`)]'

The following command gets only the access-key alias. The alias name is case-sensitive.

$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/access-key`]' [ { "AliasName": "alias/access-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/access-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" } ]

Using aliases in your applications

You can use an alias to represent a CMK in your application code. The KeyId parameter in the DescribeKey and GetPublicKey operations and in all cryptographic operations accepts an alias name or alias ARN.

For example, the following GenerateDataKey command uses an alias name (alias/finance) to identify a CMK. The alias name is the value of the KeyId parameter.

$ aws kms generate-data-key --key-id alias/finance --key-spec AES_256

One of the most powerful uses of aliases is in applications that run in multiple AWS Regions. For example, you might have a global application that uses an RSA asymmetric CMK for signing and verification.

  • In US West (Oregon) (us-west-2), you want to use arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  • In Europe (Frankfurt) (eu-central-1), you want to use arn:aws:kms:eu-central-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321

  • In Asia Pacific (Singapore) (ap-southeast-1), you want to use arn:aws:kms:ap-southeast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d.

You could create a different version of your application in each Region or use a dictionary or switch statement to select the right CMK for each Region. But it's much easier to create an alias with the same alias name in each Region. Remember that the alias name is case-sensitive.

aws --region us-west-2 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab aws --region eu-central-1 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:eu-central-1:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321 aws --region ap-southeast-1 kms create-alias \ --alias-name alias/new-app \ --key-id arn:aws:kms:ap-southeast-1:111122223333:key/1a2b3c4d-5e6f-1a2b-3c4d-5e6f1a2b3c4d

Then, use the alias in your code. When your code runs in each Region, the alias will refer to its associated CMK in that Region. For example, this code calls the Sign operation with an alias name.

aws kms sign --key-id alias/new-app \ --message $message \ --message-type RAW \ --signing-algorithm RSASSA_PSS_SHA_384

However, there is a risk that the alias might be deleted or updated to be associated with a different CMK. In that case, the application's attempts to verify signatures using the alias name will fail, and you might need to recreate or update the alias.

To mitigate this risk, be cautious about giving principals permission to manage the aliases that you use in your application. For details, see Controlling access to aliases.

There are several other solutions for applications that encrypt data in multiple AWS Regions, including the AWS Encryption SDK.

Updating aliases

Because an alias is an independent resource, you can change the CMK associated with an alias. For example, if the test-key alias is associated with one CMK, you can use the UpdateAlias operation to associate it with a different CMK. This is one of several ways to manually rotate a CMK without changing its key material. You might also update a CMK so that an application that was using one CMK for new resources is now using a different CMK.

You cannot update an alias in the AWS KMS console. Also, you cannot use UpdateAlias (or any other operation) to change an alias name. To change an alias name, delete the current alias and then create a new alias for the CMK.

When you update an alias, the current CMK and the new CMK must be the same type (both symmetric or both asymmetric). They must also have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This restriction prevents cryptographic errors in code that uses aliases.

The following example begins by using the ListAliases operation to show that the test-key alias is currently associated with CMK 1234abcd-12ab-34cd-56ef-1234567890ab.

$ aws kms list-aliases --key-id 1234abcd-12ab-34cd-56ef-1234567890ab { "Aliases": [ { "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } ] }

Next, it uses the UpdateAlias operation to change the CMK that is associated with the test-key alias to CMK 0987dcba-09fe-87dc-65ba-ab0987654321. You don't need to specify the currently associated CMK, only the new ("target") CMK. The alias name is case sensitive.

$ aws kms update-alias --alias-name 'alias/test-key' --target-key-id 0987dcba-09fe-87dc-65ba-ab0987654321

To verify that the alias is now associated with the target CMK, use the ListAliases operation again. This AWS CLI command uses the --query parameter to get only the test-key alias.

$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/test-key`]' [ { "AliasName": "alias/test-key", "AliasArn": "arn:aws:kms:us-west-2:111122223333:alias/test-key", "TargetKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321" } ]

Deleting an alias

You can delete an alias in the AWS KMS console or by using the DeleteAlias operation. Before deleting an alias, make sure that it's not in use. Although deleting an alias doesn't affect the associated CMK, it might create problems for any application that uses the alias. If you delete an alias by mistake, you can create a new alias with the same name and associate it with the same or a different CMK.

If you delete a CMK, all aliases associated with that CMK are deleted.

Delete aliases (console)

To delete an alias in the AWS KMS console, use the Aliases tab on the detail page for the CMK. You can delete multiple aliases for a CMK at one time.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. You cannot manage aliases for AWS managed CMKs or AWS owned CMKs.

  4. In the table, choose the key ID or alias of the CMK. Then, on the CMK detail page, choose the Aliases tab.

    If a CMK has multiple aliases, the Aliases column in the table displays one alias and an alias summary, such as (+n more). Choosing the alias summary takes you directly to the Aliases tab on the CMK detail page.

  5. On the Aliases tab, select the check box next to the aliases that you want to delete. Then choose Delete.

Delete an alias (AWS KMS API)

To delete an alias, use the DeleteAlias operation. This operation deletes one alias at a time. The alias name is case-sensitive and it must be preceded by the alias/ prefix.

For example, the following command deletes the test-key alias. This command does not return any output.

$ aws kms delete-alias --alias name alias/test-key

To verify that the alias is deleted, use the ListAliases operation. The following command use the --query parameter in the AWS CLI to get only the test-key alias. The empty brackets in the response indicate that the ListAliases response didn't include a test-key alias. To eliminate the brackets, use the --output text parameter and value.

$ aws kms list-aliases --query 'Aliases[?AliasName==`alias/test-key`]' []

Controlling access to aliases

When you create or change an alias, you affect the alias and its associated CMK. Therefore, principals who manage aliases must have permission to call the alias operation on the alias and on all affected CMKs. You can provide these permissions by using key policies, IAM policies and grants.

For information about controlling access to all AWS KMS operations, see AWS KMS API permissions reference.

Permissions to create and manage aliases work as follows.

kms:CreateAlias

To create an alias, the principal needs the following permissions for both the alias and for the associated CMK.

  • kms:CreateAlias for the alias. Provide this permission in an IAM policy that is attached to the principal who is allowed to create the alias.

    The following example policy statement specifies the alias in a Resource element. But you can specify a Resource value of "*" to allow the principal to create any alias in the account and Region. Permission to create an alias can also be included in a kms:Create* permission for all resources in an account and Region.

    { "Sid": "IAMPolicyForAnAlias", "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:UpdateAlias" "kms:DeleteAlias" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key" }
  • kms:CreateAlias for the CMK. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.

    { "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:CreateAlias", "kms:DescribeKey" ], "Resource": "*" }
kms:ListAliases

To list aliases in the account and Region, the principal must have kms:ListAliases permission in an IAM policy. This policy isn't related to any particular CMK or alias resource.

For example, the following IAM policy statement gives the principal permission to list all CMKs and aliases in the account and Region.

{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" } }
kms:UpdateAlias

To change the CMK that is associated with an alias, the principal needs three permission elements: one for the alias, one for the current CMK, and one for the new CMK.

For example, suppose you want to change the test-key alias from the CMK with key ID 1234abcd-12ab-34cd-56ef-1234567890ab to the CMK with key ID 0987dcba-09fe-87dc-65ba-ab0987654321. In that case, include policy statements similar to the examples in this section.

  • kms:UpdateAlias for the alias. You provide this permission in an IAM policy that is attached to the principal. The following IAM policy specifies a particular alias. But you list multiple alias ARNs or use a Resource value of "*" to apply the permission to all aliases in the account and Region.

    { "Sid": "IAMPolicyForAnAlias", "Effect": "Allow", "Action": [ "kms:UpdateAlias", "kms:ListAliases", "kms:ListKeys", ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key" }
  • kms:UpdateAlias for the CMK that is currently associated with the alias. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.

    { "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:UpdateAlias", "kms:DescribeKey" ], "Resource": "*" }
  • kms:UpdateAlias for the CMK that the operation associates with the alias. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.

    { "Sid": "Key policy for 0987dcba-09fe-87dc-65ba-ab0987654321", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:UpdateAlias", "kms:DescribeKey" ], "Resource": "*" }
kms:DeleteAlias

To delete an alias, the principal needs permission for the alias and for the associated CMK.

As always, you should exercise caution when giving principals permission to delete a resource. However, deleting an alias has no effect on the associated CMK. Although it might cause a failure in an application that relies on the alias, if you mistakenly delete an alias, you can recreate it.

  • kms:DeleteAlias for the alias. Provide this permission in an IAM policy attached to the principal who is allowed to delete the alias.

    The following example policy statement specifies the alias in a Resource element. But you can specify a Resource value of "*" to allow the principal to create any alias in the account and Region.

    { "Sid": "IAMPolicyForAnAlias", "Effect": "Allow", "Action": [ "kms:CreateAlias", "kms:UpdateAlias" "kms:DeleteAlias" ], "Resource": "arn:aws:kms:us-west-2:111122223333:alias/test-key" }
  • kms:DeleteAlias for the associated CMK. This permission must be provided in a key policy or in an IAM policy that is delegated from the key policy.

    { "Sid": "Key policy for 1234abcd-12ab-34cd-56ef-1234567890ab", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::111122223333:user/KMSAdminUser"}, "Action": [ "kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias", "kms:DescribeKey" ], "Resource": "*" }

Finding aliases in AWS CloudTrail logs

When you use an alias to represent a customer master key (CMK) in an AWS KMS API operation, the alias and the key ARN of the CMK are recorded in the AWS CloudTrail log entry for the event. The alias appears in the requestParameters field. The key ARN appears in the resources field. This is true even when an AWS service uses an AWS managed CMK in your account.

For example, the following GenerateDataKey request uses the project-key alias to represent a CMK.

$ aws kms generate-data-key --key-id alias/project-key --key-spec AES_256

When this request is recorded in the CloudTrail log, the log entry includes both the alias and the key ARN of the actual CMK that was used.

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "ABCDE", "arn": "arn:aws:iam::111122223333:role/ProjectDev", "accountId": "111122223333", "accessKeyId": "FFHIJ", "userName": "example-dev" }, "eventTime": "2020-06-29T23:36:41Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "205.205.123.000", "userAgent": "aws-cli/1.18.89 Python/3.6.10 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 botocore/1.17.12", "requestParameters": { "keyId": "alias/project-key", "keySpec": "AES_256" }, "responseElements": null, "requestID": "d93f57f5-d4c5-4bab-8139-5a1f7824a363", "eventID": "d63001e2-dbc6-4aae-90cb-e5370aca7125", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

For details about logging AWS KMS operations in CloudTrail logs, see Logging AWS KMS API calls with AWS CloudTrail.