About tags in Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

About tags in Amazon KMS

A tag is an optional metadata label that you can assign (or Amazon can assign) to an Amazon resource. Each tag consists of a tag key and a tag value, both of which are case-sensitive strings. The tag value can be an empty (null) string. Each tag on a resource must have a different tag key, but you can add the same tag to multiple Amazon resources. Each resource can have up to 50 user-created tags.

In Amazon KMS, you can add tags to a customer managed key when you create the KMS key, and tag or untag existing KMS keys unless they are pending deletion. You cannot tag aliases, custom key stores, Amazon managed keys, Amazon owned keys, or KMS keys in other Amazon Web Services accounts. Tags are optional, but they can be very useful.

For example, you can add a "Project"="Alpha" tag to all KMS keys and Amazon S3 buckets that you use for the Alpha project.

TagKey = "Project" TagValue = "Alpha"

For general information about tags, including the format and syntax, see Tagging Amazon resources in the Amazon Web Services General Reference.

Tags help you do the following:

  • Identify and organize your Amazon resources. Many Amazon services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to an KMS key and an Amazon Elastic Block Store (Amazon EBS) volume or Amazon Secrets Manager secret. You can also use tags to identify KMS keys for automation.

  • Track your Amazon costs. When you add tags to your Amazon resources, Amazon generates a cost allocation report with usage and costs aggregated by tags. You can use this feature to track Amazon KMS costs for a project, application, or cost center.

    For more information about using tags for cost allocation, see Using Cost Allocation Tags in the Amazon Billing User Guide. For information about the rules for tag keys and tag values, see User-Defined Tag Restrictions in the Amazon Billing User Guide.

  • Control access to your Amazon resources. Allowing and denying access to KMS keys based on their tags is part of Amazon KMS support for attribute-based access control (ABAC). For information about controlling access to Amazon KMS keys based on their tags, see Using tags to control access to KMS keys. For more general information about using tags to control access to Amazon resources, see Controlling Access to Amazon Resources Using Resource Tags in the IAM User Guide.

Amazon KMS writes an entry to your Amazon CloudTrail log when you use the TagResource, UntagResource, or ListResourceTags operations.