AWS::KMS::Alias

KMS Alias

The AWS::KMS::Alias resource specifies a display name for a [KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). You can use an alias to identify a KMS key in the KMS console, in the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation, and in [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), such as [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) and [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html). Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see [ABAC for](https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) in the *Developer Guide*. Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS-Regions. For more information, see [Using aliases](https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) in the *Developer Guide*. When specifying an alias, observe the following rules. + Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key. + The alias and its associated KMS key must be in the same AWS-account and Region. + The alias name must be unique in the AWS-account and Region. However, you can create aliases with the same name in different AWS-Regions. For example, you can have an alias/projectKey in multiple Regions, each of which is associated with a KMS key in its Region. + Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for [](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). *Regions* KMS CloudFormation resources are available in all AWS-Regions in which KMS and CFN are supported.

Properties

2 configurable properties. 2 required. Click a row to see details.

Filter:

Property	Type	Flags
`AliasName`	`string`	RequiredCreate-only
`TargetKeyId`	`string`	Required

Sample CloudFormation Template

A minimal template with required properties and common optional ones.

template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample template for AWS::KMS::Alias

Resources:
  MyResource:
    Type: AWS::KMS::Alias
    Properties:
      AliasName: "my-aliasname"
      TargetKeyId: "my-targetkeyid"

Required IAM Permissions

Permissions CloudFormation needs in your IAM role to manage this resource.

read

kms:ListAliases

create

kms:CreateAlias

update

kms:UpdateAlias

list

kms:ListAliases

delete

kms:DeleteAlias

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

ServiceKMS

Properties2

Required2

TaggingNot supported

Primary IDAliasName

Supported Operations

ReadCreateUpdateListDelete

Immutable After Creation

These properties cannot be changed after the resource is created. Updating them triggers a replacement.

AliasName

Related Resources

External Links

AWS Documentation