AWS KMS Alias

This page shows how to write Terraform and CloudFormation for AWS KMS Alias and write them securely.

aws_kms_alias (Terraform)

The Alias in AWS KMS can be configured in Terraform with the resource name aws_kms_alias. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

kms.tf#L8
resource "aws_kms_alias" "dynamodb_us_east_1" {
  provider      = aws.us_east_1
  name_prefix   = "alias/api/dynamodb"
  target_key_id = aws_kms_key.dynamodb_us_east_1.key_id
}

kms.tf#L5
resource "aws_kms_alias" "terraform" {
  name          = "alias/terraform"
  target_key_id = aws_kms_key.terraform.key_id
}

data "aws_kms_secrets" "secrets" {

Parameters

Explanation in Terraform Registry

Provides an alias for a KMS customer master key. AWS Console enforces 1-to-1 mapping between aliases & keys, but API (hence Terraform too) allows you to create as many aliases as the account limits allow you.

AWS::KMS::Alias (CloudFormation)

The Alias in KMS can be configured in CloudFormation with the resource name AWS::KMS::Alias. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

template.yml#L46
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/demo/symmetric_key
      TargetKeyId: !Ref SymmetricKey

  AsymmetricAlias:
kms.yml#L23
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/secrets-key
      TargetKeyId: !Ref KmsKey

Outputs:
kms.yml#L23
    Type: AWS::KMS::Alias
    Properties:
      AliasName: alias/secrets-key
      TargetKeyId: !Ref KmsKey

Outputs:
kms_key_setup.yml#L21
    Type: AWS::KMS::Alias
    DependsOn:
      - KMSKey
    Properties:
      AliasName: !Sub "alias/${Alias}"
      TargetKeyId: !Ref KMSKey
DalaWalletKeyAlias.yml#L2
  Type: AWS::KMS::Alias
  Properties:
    AliasName: alias/DalaWalletKey
    TargetKeyId:
kms.template.json#L60
      "Type": "AWS::KMS::Alias",
      "Properties": {
        "AliasName": "alias/msa-dev-key-rds",
        "TargetKeyId": {
          "Fn::GetAtt": [
            "dbkey7DD042FD",
gasBuddy-kms.cf.json#L48
      "Type": "AWS::KMS::Alias",
      "Properties": {
        "AliasName": { "Fn::Join": [ "", [ "alias/", { "Ref": "environment" }, "-", "gasbuddy-consumer-dlq-key" ] ] },
        "TargetKeyId": { "Ref": "GasBuddyConsumerDlqKmsKey" }
      },
      "Condition": "EnableGasbuddy"
kms.json#L46
            "Type": "AWS::KMS::Alias"
        },
        "KMSEMRKey": {
            "Properties": {
                "Description": "Master Key that will be used for EMR Encryption",
                "Enabled": "true",
kms.json#L46
            "Type": "AWS::KMS::Alias"
        },
        "KMSEMRFSKey": {
            "Properties": {
                "Description": "Master Key that will be used for EMR Encryption",
                "Enabled": "true",
kms.json#L46
            "Type": "AWS::KMS::Alias"
        },
        "KMSEMRKey": {
            "Properties": {
                "Description": "Master Key that will be used for EMR Encryption",
                "Enabled": "true",

Parameters

Explanation in CloudFormation Registry

The AWS::KMS::Alias resource specifies a display name for a KMS key. You can use an alias to identify a KMS key in the AWS KMS console, in the DescribeKey operation, and in cryptographic operations, such as Decrypt and GenerateDataKey.

Note Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see Using ABAC in AWS KMS in the AWS Key Management Service Developer Guide.

Using an alias to refer to a KMS key can help you simplify key management. For example, an alias in your code can be associated with different KMS keys in different AWS Regions. For more information, see Using aliases in the AWS Key Management Service Developer Guide.

When specifying an alias, observe the following rules.

  • Each alias is associated with one KMS key, but multiple aliases can be associated with the same KMS key.

  • The alias and its associated KMS key must be in the same AWS account and Region.

  • The alias name must be unique in the AWS account and Region. However, you can create aliases with the same name in different AWS Regions. For example, you can have an alias/projectKey in multiple Regions, each of which is associated with a KMS key in its Region.

  • Each alias name must begin with alias/ followed by a name, such as alias/exampleKey. The alias name can contain only alphanumeric characters, forward slashes (/), underscores (_), and dashes (-). Alias names cannot begin with alias/aws/. That alias name prefix is reserved for AWS managed keys.

Frequently asked questions

What is AWS KMS Alias?

AWS KMS Alias is a resource for KMS of Amazon Web Service. Settings can be wrote in Terraform and CloudFormation.

Where can I find the example code for the AWS KMS Alias?

For Terraform, the UnnamedOrg1/toglion and reireias/rails-on-ecs-terraform source code examples are useful. See the Terraform Example section for further details.

For CloudFormation, the MarkBiesheuvel/demo-templates, xlyang26/todobackend-aws and xlyang26/todobackend-aws source code examples are useful. See the CloudFormation Example section for further details.