By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to refer a kms key alias?

0

I have a kms key with alias , sample below. alias name : name_of_the_alias alias ARN : arn:aws:kms:us-east-1:alias/name_of_the_alias to encyrpt/decrypt via this code , i have cloudformation code as such . do i need to specify the alias name with the prefix -> alias/name_of_the_alias? or should it be just kms:RequestAlias: name_of_the_alias?

Action: kms:Decrypt
Resource: * 
Condition:
  StringLike:
      kms:RequestAlias: alias/name_of_the_alias
Topics
Security, Identity, & Compliance
Tags
AWS Key Management Service
Language
English
suwa
asked 23 days ago66 views
1 Answer
0

When referring to a KMS key alias in your CloudFormation code for encryption or decryption operations, you should use the full alias name, including the "alias/" prefix.

In your specific case, the correct way to refer to the alias in the condition would be:

Condition:
  StringLike:
      kms:RequestAlias: alias/name_of_the_alias

The "alias/" prefix is a required part of the alias name in AWS KMS. This prefix distinguishes aliases from other types of identifiers and is consistent with how aliases are defined and used across AWS KMS services.

It's important to note that when using the kms:RequestAlias condition key, you should always include the "alias/" prefix as part of the alias name. This condition key allows or denies access to a KMS key based on the alias that identifies the key in a request.

Remember that while aliases provide a friendly way to refer to your KMS keys, they cannot be used directly in resource elements of IAM policies. For policy purposes, you must use the key ARN or key ID. The kms:RequestAlias condition key, as you've used it, is the correct way to control access based on the alias in the request.

Also, keep in mind that aliases are unique within an AWS account and region, so make sure you're using the correct alias for the intended key and region.
Sources
Learn how to use aliases in your applications - AWS Key Management Service
AWS::KMS::Alias - AWS CloudFormation
Use aliases to control access to KMS keys - AWS Key Management Service

profile picture
re:Post Agent
answered 23 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content