Using aliases - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using aliases

An alias is a friendly name for a Amazon KMS key. For example, an alias lets you refer to a KMS key as test-key instead of 1234abcd-12ab-34cd-56ef-1234567890ab.

You can use an alias to identify a KMS key in the Amazon KMS console, in the DescribeKey operation, and in cryptographic operations, such as Encrypt and GenerateDataKey. Aliases also make it easy to recognize an Amazon managed key. Aliases for these KMS keys always have the form aws/<service-name>. For example, the alias for the Amazon managed key for Amazon DynamoDB is aws/dynamodb. You can establish similar alias standards for your projects, such as prefacing your aliases with the name of a project or category.

You can also allow and deny access to KMS keys based on their aliases without editing policies or managing grants. This feature is part of Amazon KMS support for attribute-based access control (ABAC). For details, see Using aliases to control access to KMS keys.

Much of the power of aliases come from your ability to change the KMS key associated with an alias at any time. Aliases can make your code easier to write and maintain. For example, suppose you use an alias to refer to a particular KMS key and you want to change the KMS key. In that case, just associate the alias with a different KMS key. You don't need to change your code.

Aliases also make it easier to reuse the same code in different Amazon Web Services Regions. Create aliases with the same name in multiple Regions and associate each alias with a KMS key in its Region. When the code runs in each Region, the alias refers to the associated KMS key in that Region. For an example, see Using aliases in your applications.

You can create an alias for a KMS key in the Amazon KMS console, by using the CreateAlias API, or by using an Amazon CloudFormation template.

The Amazon KMS API provides full control of aliases in each account and Region. The API includes operations to create an alias (CreateAlias), view alias names and alias ARNs (ListAliases), change the KMS key associated with an alias (UpdateAlias), and delete an alias (DeleteAlias). For examples of managing aliases multiple programming languages, see Working with aliases.

The following resources can help you learn more:

  • For information about KMS key identifiers, including aliases, see Key identifiers (KeyId).

  • For help using a Amazon CloudFormation template to create an alias for a KMS key, see AWS::KMS::Alias in the Amazon CloudFormation User Guide.

  • For help finding the aliases associated with a KMS key, see Finding the alias name and alias ARN

  • For information about resource quotas for aliases and rate quotas for API operations related to aliases, see Quotas.

  • For examples of creating and managing aliases in multiple programming languages, see Working with aliases.

Topics