AWS::KMS::Alias - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamplesSee also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

This is the new Amazon CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the Amazon CloudFormation User Guide.

AWS::KMS::Alias

The AWS::KMS::Alias resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the Amazon KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.

Note

Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for Amazon KMS in the Amazon Key Management Service Developer Guide.

Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different Amazon Web Services Regions. For more information, see Using aliases in the Amazon Key Management Service Developer Guide.

When specifying an alias, observe the following rules.

  • Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.

  • The alias and its associated KMS key must be in the same Amazon Web Services account and Region.

  • The alias name must be unique in the Amazon Web Services account and Region. However, you can create aliases with the same name in different Amazon Web Services Regions. For example, you can have an alias/projectKey in multiple Regions, each of which is associated with a KMS key in its Region.

  • Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for Amazon managed keys.

Regions

Amazon KMS CloudFormation resources are available in all Amazon Web Services Regions in which Amazon KMS and Amazon CloudFormation are supported.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::KMS::Alias",
  "Properties" : {
      "AliasName" : String,
      "TargetKeyId" : String
    }
}

YAML

Type: AWS::KMS::Alias
Properties:
  AliasName: String
  TargetKeyId: String

Properties

AliasName

Specifies the alias name. This value must begin with alias/ followed by a name, such as alias/ExampleAlias.

Note

If you change the value of the AliasName property, the existing alias is deleted and a new alias is created for the specified KMS key. This change can disrupt applications that use the alias. It can also allow or deny access to a KMS key affected by attribute-based access control (ABAC).

The alias must be string of 1-256 characters. It can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is reserved for Amazon managed keys.

Required: Yes

Type: String

Pattern: ^(alias/)[a-zA-Z0-9:/_-]+$

Minimum: 1

Maximum: 256

Update requires: Replacement

TargetKeyId

Associates the alias with the specified customer managed key . The KMS key must be in the same Amazon Web Services account and Region.

A valid key ID is required. If you supply a null or empty string value, this operation returns an error.

For help finding the key ID and ARN, see Finding the key ID and ARN in the Amazon Key Management Service Developer Guide.

Specify the key ID or the key ARN of the KMS key.

For example:

  • Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab

  • Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab

To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.

Required: Yes

Type: String

Minimum: 1

Maximum: 256

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the alias name, such as alias/exampleAlias.

For more information about using the Ref function, see Ref.

Examples

Create an alias

The following examples create the alias/exampleAlias alias for a KMS key. The KMS key is identified by a reference to its CloudFormation resource name. Before using these examples, replace the example target key ID and example alias with valid values.

JSON

{
    "myAlias": {
        "Type": "AWS::KMS::Alias",
        "Properties": {
            "AliasName": "alias/exampleAlias",
            "TargetKeyId": {
                "Ref": "myKey"
            }
        }
    }
}

YAML

myAlias:
  Type: 'AWS::KMS::Alias'
  Properties:
    AliasName: alias/exampleAlias
    TargetKeyId: !Ref myKey

See also