Create KMS Key, review required - AMS Advanced Change Management User Guide

Create KMS Key, review required

Create a KMS key using the AMS console or the AMS API/CLI, this change type requires AMS operations review.

Classification: Deployment | Advanced stack components | KMS key | Create (review required)

Change type ID: 2epp05svrlwod

Version: 2.0

This is a manual change type (an AMS operator must review and act on the CT), which means that the RFC can take longer to run and you might have to communicate with AMS by submitting a service request.

Choose this change type over the automated Create KMS Key change type (ct-1d84keiri1jhg), if you have special KMS key needs that the automated change type does not provide parameters for.


This change type is at v2.0. The required KeyName parameter has been replaced by an optional AliasName parameter; KMS keys use aliases.

To learn more about AWS KMS keys, see AWS Key Management Service (KMS), AWS Key Management Service FAQs, and AWS Key Management Service Concepts.

Required Data:

  • Description: Meaningful information about the KMS key.

  • KeyPermissions: Detailed information about the key permissions update, or a key policy document to be attached to the key (paste the policy document into the value field). For more information, see AWS KMS API Permissions: Actions and Resources Reference.

  • Operation: Must be Create.

Optional Data:

  • AliasName: A meaningful alias for the KMS key.

  • Tags: Tags to categorize the KMS key.

  • KeyRotation: True if the KMS key should be rotated, false if it should not. Default is true. For more information, see Rotating AWS KMS keys.


When using manual (approval required) CTs, AMS recommends that you use the ASAP option (choose ASAP in the console, leave start and end time blank in the API/CLI) as these CTs require an AMS operator to examine the RFC, and possibly communicate with you before it can be approved and run. If you schedule these RFCs, be sure to allow at least 24 hours. If approval does not happen before the scheduled start time, the RFC is rejected automatically.

Screenshot of this change type in the AMS console:

How it works:

  1. Navigate to the Choose change type page: RFCs -> Create RFC.

  2. Choose a change type from the drop-down lists. Optionally, open the Additional configuration area to select a change type version. After your selections are complete, a Change type: details area opens. Choose Next.

  3. Configure the request for change. A Subject is required. Optionally, open the Additional configuration area to add information about the RFC. Choose Next.

  4. Choose the execution parameters. At the top, in the RFC configuration area, enter values for the change type required parameters. These vary by change type. Open the Additional configuration area to add Tags or additional settings. Some change types also provide a Parameters area where only the required settings are visible. In that case, open the Additional configuration area to view optional parameters.

  5. When finished, choose Create. If there are no errors, the RFC successfully created page displays with the submitted RFC details, and the initial Execution output.

  6. Open the Execution parameters area to see the configurations you submitted. Refresh the page to update the RFC execution status. Optionally, cancel the RFC or create a copy of it with the options at the top of the page.

How it works:

  1. Use either the Inline Create (you issue a create-rfc command with all RFC and execution parameters included), or Template Create (you create two JSON files, one for the RFC parameters and one for the execution parameters) and issue the create-rfc command with the two files as input. Both methods are described here.

  2. Submit the RFC: aws amscm submit-rfc --rfc-id ID command with the returned RFC ID.

    Monitor the RFC: aws amscm get-rfc --rfc-id ID command.

To check the change type version, use this command:

aws amscm list-change-type-version-summaries --filter Attribute=ChangeTypeId,Value=CT_ID

You can use any CreateRfc parameters with any RFC whether or not they are part of the schema for the change type. For example, to get notifications when the RFC status changes, add this line, --notification "{\"Email\": {\"EmailRecipients\" : [\"\"]}}" to the RFC parameters part of the request (not the execution parameters). For a list of all CreateRfc parameters, see the AMS Change Management API Reference.


Issue the create RFC command with execution parameters provided inline (escape quotes when providing execution parameters inline), and then submit the returned RFC ID. For example, you can replace the contents with something like this:

aws amscm create-rfc --change-type-id "ct-2epp05svrlwod" --change-type-version "2.0" --title "TITLE" --execution-parameters "{\"Description\": \"Example description\", \"KeyPermissions\": \"key permissions\", \"Operation\": \"Create\"}"


  1. Output the execution parameters JSON schema for this change type to a file; this example names it CreateKmsKeyParams.json:

    aws amscm get-change-type-version --change-type-id "ct-2epp05svrlwod" --query "ChangeTypeVersion.ExecutionInputSchema" --output text > CreateKmsKeyParams.json
  2. Modify and save the CreateKmsKeyParams file. For example, you can replace the contents with something like this:

    { "Description": "KMS key request", "KeyPermissions": "{\"Id\":\"key-consolepolicy-3\",\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Allow use of the key\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam::111122223333:role/KMSRole\"]},\"Action\":[\"kms:Encrypt\",\"kms:Decrypt\",\"kms:ReEncrypt*\",\"kms:GenerateDataKey*\",\"kms:DescribeKey\"],\"Resource\":\"*\"}]}", "Operation": "Create" }
  3. Output the RFC template JSON file to a file; this example names it CreateKmsKeyRfc.json:

    aws amscm create-rfc --generate-cli-skeleton > CreateKmsKeyRfc.json
  4. Modify and save the CreateKmsKeyRfc.json file. For example, you can replace the contents with something like this:

    { "ChangeTypeVersion": "2.0", "ChangeTypeId": "ct-2epp05svrlwod", "Title": "KmsKey-Create-RFC" }
  5. Create the RFC, specifying the CreateKmsKey Rfc file and the CreateKmsKeyParams file:

    aws amscm create-rfc --cli-input-json file://CreateKmsKeyRfc.json --execution-parameters file://CreateKmsKeyParams.json

    You receive the ID of the new RFC in the response and can use it to submit and monitor the RFC. Until you submit it, the RFC remains in the editing state and does not start.