AWS KMS Alias
This page shows how to write Terraform and CloudFormation for AWS KMS Alias and write them securely.
aws_kms_alias (Terraform)
The Alias in AWS KMS can be configured in Terraform with the resource name aws_kms_alias
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "aws_kms_alias" "dynamodb_us_east_1" {
provider = aws.us_east_1
name_prefix = "alias/api/dynamodb"
target_key_id = aws_kms_key.dynamodb_us_east_1.key_id
}
resource "aws_kms_alias" "terraform" {
name = "alias/terraform"
target_key_id = aws_kms_key.terraform.key_id
}
data "aws_kms_secrets" "secrets" {
Parameters
-
arn
optional computed - string -
id
optional computed - string -
name
optional - string -
name_prefix
optional - string -
target_key_arn
optional computed - string -
target_key_id
required - string
Explanation in Terraform Registry
Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence Terraform too) allows you to create as many aliases as the account limits allow you.
AWS::KMS::Alias (CloudFormation)
The Alias in KMS can be configured in CloudFormation with the resource name AWS::KMS::Alias
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
Type: AWS::KMS::Alias
Properties:
AliasName: alias/demo/symmetric_key
TargetKeyId: !Ref SymmetricKey
AsymmetricAlias:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/secrets-key
TargetKeyId: !Ref KmsKey
Outputs:
Type: AWS::KMS::Alias
Properties:
AliasName: alias/secrets-key
TargetKeyId: !Ref KmsKey
Outputs:
Type: AWS::KMS::Alias
DependsOn:
- KMSKey
Properties:
AliasName: !Sub "alias/${Alias}"
TargetKeyId: !Ref KMSKey
Type: AWS::KMS::Alias
Properties:
AliasName: alias/DalaWalletKey
TargetKeyId:
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": "alias/msa-dev-key-rds",
"TargetKeyId": {
"Fn::GetAtt": [
"dbkey7DD042FD",
"Type": "AWS::KMS::Alias",
"Properties": {
"AliasName": { "Fn::Join": [ "", [ "alias/", { "Ref": "environment" }, "-", "gasbuddy-consumer-dlq-key" ] ] },
"TargetKeyId": { "Ref": "GasBuddyConsumerDlqKmsKey" }
},
"Condition": "EnableGasbuddy"
"Type": "AWS::KMS::Alias"
},
"KMSEMRFSKey": {
"Properties": {
"Description": "Master Key that will be used for EMR Encryption",
"Enabled": "true",
"Type": "AWS::KMS::Alias"
},
"KMSEMRKey": {
"Properties": {
"Description": "Master Key that will be used for EMR Encryption",
"Enabled": "true",
"Type": "AWS::KMS::Alias"
},
"KMSEMRKey": {
"Properties": {
"Description": "Master Key that will be used for EMR Encryption",
"Enabled": "true",
Parameters
-
AliasName
required - String -
TargetKeyId
required - String
Explanation in CloudFormation Registry
The
AWS::KMS::Alias
resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.Note Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in AWS KMS in the AWS Key Management Service Developer Guide.
Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS Regions. For more information, see Using aliases in the AWS Key Management Service Developer Guide.
When specifying an alias, observe the following rules.
Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.
The alias and its associated KMS key must be in the same AWS account and Region.
The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions. For example, you can have an
alias/projectKey
in multiple Regions, each of which is associated with a KMS key in its Region.Each alias name must begin with
alias/
followed by a name, such asalias/exampleKey
. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin withalias/aws/
. That alias name prefix is reserved for AWS managed keys.
Frequently asked questions
What is AWS KMS Alias?
AWS KMS Alias is a resource for KMS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.
Where can I find the example code for the AWS KMS Alias?
For Terraform, the UnnamedOrg1/toglion and reireias/rails-on-ecs-terraform source code examples are useful. See the Terraform Example section for further details.
For CloudFormation, the MarkBiesheuvel/demo-templates, xlyang26/todobackend-aws and xlyang26/todobackend-aws source code examples are useful. See the CloudFormation Example section for further details.