Add tags to a KMS key - Amazon Key Management Service
Add tags while creating a KMS keyAdd tags to existing KMS keys
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Add tags to a KMS key

Tags help identify and organize your Amazon resources. You can add tags to a customer managed key when you create the KMS key, or add tags to existing KMS keys. You cannot tag Amazon managed keys.

The following procedures demonstrate how to add tags to customer managed keys using the Amazon KMS console and Amazon KMS API. The Amazon KMS API examples use the Amazon Command Line Interface (Amazon CLI), but you can use any supported programming language.

Add tags while creating a KMS key

You can add tags to a KMS key as you create the key using the Amazon KMS console or the CreateKey operation. To add tags when creating a KMS key, you must have kms:TagResource permission in an IAM policy in addition to the permissions required to create KMS keys. At a minimum, the permission must cover all KMS keys in the account and Region. For details, see Controlling access to tags.

To add tags when creating a KMS key in the console, you must have the permissions required to view KMS keys in the console in addition to the permissions required to tag and create KMS keys. At a minimum, the permission must cover all KMS keys in the account and Region.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. (You cannot manage the tags of an Amazon managed key)

  4. Choose the key type, then choose Next.

  5. Enter an alias and optional description.

  6. Enter a tag key and, optionally, a tag value. To add additional tags, choose Add tag. To delete a tag, choose Remove. When you're done tagging your new KMS key, choose Next.

  7. Finish creating your KMS key.

To specify tags when creating keys using the CreateKey operation, use the Tags parameter of the operation.

The value of the Tags parameter of CreateKey is a collection of case-sensitive tag key and tag value pairs. Each tag on a KMS key must have a different tag name. The tag value can be a null or empty string.

For example, the following Amazon CLI command creates a symmetric encryption KMS key with a Project:Alpha tag. When specifying more than one key-value pair, use a space to separate each pair.

$ aws kms create-key --tags TagKey=Project,TagValue=Alpha

When this command is successful, it returns a KeyMetadata object with information about the new KMS key. However, the KeyMetadata does not include tags. To get the tags, use the ListResourceTags operation.

Add tags to existing KMS keys

You can add tags to your existing customer managed KMS keys in the Amazon KMS console or by using the TagResource operation. To add tags, you need tagging permission on the KMS key. You can get this permission from the key policy for the KMS key or, if the key policy allows it, from an IAM policy that includes the KMS key.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys. (You cannot manage the tags of an Amazon managed key)

  4. You can use the table filter to display only KMS keys with particular tags. For details, see View tags using the Amazon KMS console.

  5. Select the check box next to the alias of a KMS key.

  6. Choose Key actions, Add or edit tags.

  7. On the details page for KMS key, choose the Tags tab.

    • To create your first tag, choose Create tag, type a tag key (required) and tag value (optional), and then choose Save.

      If you leave the tag value blank, the actual tag value is a null or empty string.

    • To add a tag, choose Edit, choose Add tag, type a tag key and tag value, and then choose Save.

  8. To save your changes, choose Save changes.

The TagResource operation adds one or more tags to a KMS key. You cannot use this operation to add tags in a different Amazon Web Services account. You can also use the TagResource operation to edit existing tags. For more information, see Edit tags associated with a KMS key.

To add a tag, specify a new tag key and a tag value. Each tag on a KMS key must have a different tag key. The tag value can be a null or empty string.

For example, the following command adds Purpose and Department tags to an example KMS key.

$ aws kms tag-resource \
         --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
         --tags TagKey=Purpose,TagValue=Pretest TagKey=Department,TagValue=Finance

When this command is successful, it does not return any output. To view the tags on a KMS key, use the ListResourceTags operation.