Managing KMS key tags in the console - AWS Key Management Service
Add tags while creating a KMS keyView and manage tags on existing KMS keys

Managing KMS key tags in the console

You can add tags to a KMS key when you create the KMS key in the AWS KMS console. You can also use the Tags tab in the console to add, edit, and delete tags on customer managed keys To add, edit, view, and delete tags for a KMS key, you must have the required permissions. For details, see Controlling access to tags.

Add tags while creating a KMS key

To add tags when creating a KMS key in the console, you must have kms:TagResource permission in an IAM policy in addition to the permissions required to create KMS keys and view KMS keys in the console. At a minimum, the permission must cover all KMS keys in the account and Region.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. (You cannot manage the tags of an AWS managed key)

  4. Choose the key type, then choose Next.

  5. Enter an alias and optional description.

  6. Enter a tag key and, optionally, a tag value. To add additional tags, choose Add tag. To delete a tag, choose Remove. When you're done tagging your new KMS key, choose Next.

  7. Finish creating your KMS key.

Show moreShow less

View and manage tags on existing KMS keys

To add, view, edit, and delete tags in the console, you need tagging permission on the KMS key. You can get this permission from the key policy for the KMS key or, if the key policy allows it, from an IAM policy that includes the KMS key. You need these permissions in addition to the permissions to view KMS keys in the console.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. (You cannot manage the tags of an AWS managed key)

  4. You can use the table filter to display only KMS keys with particular tags. For details, see Sorting and filtering your KMS keys.

  5. Select the check box next to the alias of a KMS key.

  6. Choose Key actions, Add or edit tags.

  7. On the details page for KMS key, choose the Tags tab.

    • To create your first tag, choose Create tag, type a tag key (required) and tag value (optional), and then choose Save.

      If you leave the tag value blank, the actual tag value is a null or empty string.

    • To add a tag, choose Edit, choose Add tag, type a tag key and tag value, and then choose Save.

    • To change the name or value of a tag, choose Edit, make your changes, and then choose Save.

    • To delete a tag, choose Edit. On the tag row, choose Remove, and then choose Save.

  8. To save your changes, choose Save changes.

Show moreShow less