Create a symmetric encryption KMS key - AWS Key Management Service

Create a symmetric encryption KMS key

This topic explains how to create the basic KMS key, a symmetric encryption KMS key for a single Region with key material from AWS KMS. You can use this KMS key to protect your resources in an AWS service.

You can create symmetric encryption KMS keys in the AWS KMS console, by using the CreateKey API, or by using the AWS::KMS::Key AWS CloudFormation template.

The default key spec, SYMMETRIC_DEFAULT, is the key spec for symmetric encryption KMS keys. When you select the Symmetric key type and the Encrypt and decrypt key usage in the AWS KMS console, it selects the SYMMETRIC_DEFAULT key spec. In the CreateKey operation, if you don't specify a KeySpec value, SYMMETRIC_DEFAULT is selected. If you don't have a reason to use a different key spec, SYMMETRIC_DEFAULT is a good choice.

For information about quotas that apply to KMS keys, see Quotas.

You can use the AWS Management Console to create AWS KMS keys (KMS keys).

Important

Do not include confidential or sensitive information in the alias, description, or tags. These fields may appear in plain text in CloudTrail logs and other output.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. Choose Create key.

  5. To create a symmetric encryption KMS key, for Key type choose Symmetric.

  6. In Key usage, the Encrypt and decrypt option is selected for you.

  7. Choose Next.

  8. Type an alias for the KMS key. The alias name cannot begin with aws/. The aws/ prefix is reserved by Amazon Web Services to represent AWS managed keys in your account.

    Note

    Adding, deleting, or updating an alias can allow or deny permission to the KMS key. For details, see ABAC for AWS KMS and Use aliases to control access to KMS keys.

    An alias is a display name that you can use to identify the KMS key. We recommend that you choose an alias that indicates the type of data you plan to protect or the application you plan to use with the KMS key.

    Aliases are required when you create a KMS key in the AWS Management Console. They are optional when you use the CreateKey operation.

  9. (Optional) Type a description for the KMS key.

    You can add a description now or update it any time unless the key state is Pending Deletion or Pending Replica Deletion. To add, change, or delete the description of an existing customer managed key, edit the description on the details page for the KMS key in the AWS Management Console or use the UpdateKeyDescription operation.

  10. (Optional) Type a tag key and an optional tag value. To add more than one tag to the KMS key, choose Add tag.

    Note

    Tagging or untagging a KMS key can allow or deny permission to the KMS key. For details, see ABAC for AWS KMS and Use tags to control access to KMS keys.

    When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tags in AWS KMS and ABAC for AWS KMS.

  11. Choose Next.

  12. Select the IAM users and roles that can administer the KMS key.

    Note

    This key policy gives the AWS account full control of this KMS key. It allows account administrators to use IAM policies to give other principals permission to manage the KMS key. For details, see Default key policy.

     

    IAM best practices discourage the use of IAM users with long-term credentials. Whenever possible, use IAM roles, which provide temporary credentials. For details, see Security best practices in IAM in the IAM User Guide.

  13. (Optional) To prevent the selected IAM users and roles from deleting this KMS key, in the Key deletion section at the bottom of the page, clear the Allow key administrators to delete this key check box.

  14. Choose Next.

  15. Select the IAM users and roles that can use the key in cryptographic operations

    Note

    This key policy gives the AWS account full control of this KMS key. It allows account administrators to use IAM policies to give other principals permission to use the KMS key in cryptographic operations. For details, see Default key policy.

     

    IAM best practices discourage the use of IAM users with long-term credentials. Whenever possible, use IAM roles, which provide temporary credentials. For details, see Security best practices in IAM in the IAM User Guide.

  16. (Optional) You can allow other AWS accounts to use this KMS key for cryptographic operations. To do so, in the Other AWS accounts section at the bottom of the page, choose Add another AWS account and enter the AWS account identification number of an external account. To add multiple external accounts, repeat this step.

    Note

    To allow principals in the external accounts to use the KMS key, Administrators of the external account must create IAM policies that provide these permissions. For more information, see Allowing users in other accounts to use a KMS key.

  17. Choose Next.

  18. Review the key settings that you chose. You can still go back and change all settings.

  19. Choose Finish to create the KMS key.

You can use the CreateKey operation to create AWS KMS keys of all types. These examples use the AWS Command Line Interface (AWS CLI). For examples in multiple programming languages, see Use CreateKey with an AWS SDK or CLI.

Important

Do not include confidential or sensitive information in the Description or Tags fields. These fields may appear in plain text in CloudTrail logs and other output.

The following operation creates a symmetric encryption key in a single Region backed by key material generated by AWS KMS. This operation has no required parameters. However, you might also want to use the Policy parameter to specify a key policy. You can change the key policy (PutKeyPolicy) and add optional elements, such as a description and tags at any time. You can also create asymmetric keys, multi-Region keys, keys with imported key material, and keys in custom key stores. To create data keys for client-side encryption, use the GenerateDataKey operation.

The CreateKey operation doesn't let you specify an alias, but you can use the CreateAlias operation to create an alias for your new KMS key.

The following is an example of a call to the CreateKey operation with no parameters. This command uses all of the default values. It creates a symmetric encryption KMS key with key material generated by AWS KMS.

$ aws kms create-key { "KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "Enabled": true, "KeySpec": "SYMMETRIC_DEFAULT", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "CreationDate": 1502910355.475, "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "MultiRegion": false "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], } }

If you do not specify a key policy for your new KMS key, the default key policy that CreateKey applies differs from the default key policy that the console applies when you use it to create a new KMS key.

For example, this call to the GetKeyPolicy operation returns the key policy that CreateKey applies. It gives the AWS account access to the KMS key and allows it to create AWS Identity and Access Management (IAM) policies for the KMS key. For detailed information about IAM policies and key policies for KMS keys, see KMS key access and permissions

$ aws kms get-key-policy --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --policy-name default --output text { "Version" : "2012-10-17", "Id" : "key-default-1", "Statement" : [ { "Sid" : "Enable IAM User Permissions", "Effect" : "Allow", "Principal" : { "AWS" : "arn:aws:iam::111122223333:root" }, "Action" : "kms:*", "Resource" : "*" } ] }