# Tags in AWS KMS
<a name="tagging-keys"></a>

A *tag* is an optional metadata label that you can assign (or AWS can assign) to an AWS resource. Each tag consists of a *tag key* and a *tag value*, both of which are case-sensitive strings. The tag value can be an empty (null) string. Each tag on a resource must have a different tag key, but you can add the same tag to multiple AWS resources. Each resource can have up to 50 user-created tags.

Do not include confidential or sensitive information in the tag key or tag value. Tags are accessible to many AWS services, including billing.

In AWS KMS, you can add tags to a customer managed key when you create the KMS key, and tag or untag existing KMS keys unless they are [pending deletion](key-state.md). You cannot tag aliases, custom key stores, AWS managed keys,AWS owned keys, or KMS keys in other AWS accounts. Tags are optional, but they can be very useful.

For example, you can add a `"Project"="Alpha"` tag to all KMS keys and Amazon S3 buckets that you use for the Alpha project.

```
TagKey   = "Project"
TagValue = "Alpha"
```

For general information about tags, including the format and syntax, see [Tagging AWS resources](https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) in the *Amazon Web Services General Reference*.

Tags help you do the following:
+ Identify and organize your AWS resources. Many AWS services support tagging, so you can assign the same tag to resources from different services to indicate that the resources are related. For example, you can assign the same tag to a KMS key and an Amazon Elastic Block Store (Amazon EBS) volume or AWS Secrets Manager secret. You can also use tags to identify KMS keys for automation.
+ Track your AWS costs. When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. You can use this feature to track AWS KMS costs for a project, application, or cost center.

  For more information about using tags for cost allocation, see [Using Cost Allocation Tags](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) in the *AWS Billing User Guide*. For information about the rules for tag keys and tag values, see [User-Defined Tag Restrictions](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) in the *AWS Billing User Guide*.
+ Control access to your AWS resources. Allowing and denying access to KMS keys based on their tags is part of AWS KMS support for [attribute-based access control](abac.md) (ABAC). For information about controlling access to AWS KMS keys based on their tags, see [Use tags to control access to KMS keys](tag-authorization.md). For more general information about using tags to control access to AWS resources, see [Controlling Access to AWS Resources Using Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*.

AWS KMS writes an entry to your AWS CloudTrail log when you use the [TagResource](ct-tagresource.md), [UntagResource](ct-untagresource.md), or [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operations.

**Topics**
+ [

# Controlling access to tags
](tag-permissions.md)
+ [

# Add tags to a KMS key
](add-tags.md)
+ [

# Edit tags associated with a KMS key
](edit-tags.md)
+ [

# Remove tags associated with a KMS key
](remove-tags.md)
+ [

# View tags associated with a KMS key
](view-tags.md)
+ [

# Use tags to control access to KMS keys
](tag-authorization.md)

# Controlling access to tags
<a name="tag-permissions"></a>

To add, view, and delete tags, either in the AWS KMS console or by using the API, principals need tagging permissions. You can provide these permissions in [key policies](key-policies.md). You can also provide them in IAM policies (including [VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/interface-endpoints.html#edit-vpc-endpoint-policy)), but only if [the key policy allows it](key-policy-default.md#allow-iam-policies). The [AWSKeyManagementServicePowerUser](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSKeyManagementServicePowerUser) managed policy allows principals to tag, untag, and list tags on all KMS keys the account can access. 

You can also limit these permissions by using AWS global condition keys for tags. In AWS KMS, these conditions can control access to tagging operations, such as [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) and [UntagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html).

**Note**  
Be cautious when giving principals permission to manage tags and aliases. Changing a tag or alias can allow or deny permission to the customer managed key. For details, see [ABAC for AWS KMS](abac.md) and [Use tags to control access to KMS keys](tag-authorization.md).

For example policies and more information, see [Controlling Access Based on Tag Keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html#access_tags_control-tag-keys) in the *IAM User Guide*.

Permissions to create and manage tags work as follows.

**kms:TagResource**  
Allows principals to add or edit tags. To add tags while creating a KMS key, the principal must have permission in an IAM policy that isn't restricted to particular KMS keys.

**kms:ListResourceTags**  
Allows principals to view tags on KMS keys.

**kms:UntagResource**  
Allows principals to delete tags from KMS keys.

## Tag permissions in policies
<a name="tag-permission-examples"></a>

You can provide tagging permissions in a key policy or IAM policy. For example, the following example key policy gives select users tagging permission on the KMS key. It gives all users who can assume the example Administrator or Developer roles permission to view tags.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Id": "example-key-policy",
  "Statement": [
    { 
      "Sid": "EnableIAMUserPermissions",
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "AllowAllTaggingPermissions",
      "Effect": "Allow",
      "Principal": {"AWS": [
        "arn:aws:iam::111122223333:user/LeadAdmin",
        "arn:aws:iam::111122223333:user/SupportLead"
      ]},
      "Action": [
          "kms:TagResource",
          "kms:ListResourceTags",
          "kms:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "AllowRolesViewTags",
      "Effect": "Allow",
      "Principal": {"AWS": [
        "arn:aws:iam::111122223333:role/Administrator",
        "arn:aws:iam::111122223333:role/Developer"
      ]},
      "Action": "kms:ListResourceTags",
      "Resource": "*"
    }
  ]
}
```

------

To give principals tagging permission on multiple KMS keys, you can use an IAM policy. For this policy to be effective, the key policy for each KMS key must allow the account to use IAM policies to control access to the KMS key.

For example, the following IAM policy allows the principals to create KMS keys. It also allows them to create and manage tags on all KMS keys in the specified account. This combination allows the principals to use the [Tags](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html#KMS-CreateKey-request-Tags) parameter of the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation to add tags to a KMS key while they are creating it. 

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "IAMPolicyCreateKeys",
      "Effect": "Allow",
      "Action": "kms:CreateKey",
      "Resource": "*"
    },
    {
      "Sid": "IAMPolicyTags",
      "Effect": "Allow",
      "Action": [
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ListResourceTags"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    }    
  ]
}
```

------

## Limiting tag permissions
<a name="tag-permissions-conditions"></a>

You can limit tagging permissions by using [policy conditions](policy-conditions.md). The following policy conditions can be applied to the `kms:TagResource` and `kms:UntagResource` permissions. For example, you can use the `aws:RequestTag/tag-key` condition to allow a principal to add only particular tags, or prevent a principal from adding tags with particular tag keys. Or, you can use the `kms:KeyOrigin` condition to prevent principals from tagging or untagging KMS keys with [imported key material](importing-keys.md). 
+ [aws:RequestTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag)
+ [aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) (IAM policies only)
+ [aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tag-keys)
+ [kms:CallerAccount](conditions-kms.md#conditions-kms-caller-account)
+ [kms:KeySpec](conditions-kms.md#conditions-kms-key-spec)
+ [kms:KeyUsage](conditions-kms.md#conditions-kms-key-usage)
+ [kms:KeyOrigin](conditions-kms.md#conditions-kms-key-origin)
+ [kms:ViaService](conditions-kms.md#conditions-kms-via-service)

As a best practice when you use tags to control access to KMS keys, use the `aws:RequestTag/tag-key` or `aws:TagKeys` condition key to determine which tags (or tag keys) are allowed.

For example, the following IAM policy is similar to the previous one. However, this policy allows the principals to create tags (`TagResource`) and delete tags `UntagResource` only for tags with a `Project` tag key.

Because `TagResource` and `UntagResource` requests can include multiple tags, you must specify a `ForAllValues` or `ForAnyValue` set operator with the [aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) condition. The `ForAnyValue` operator requires that at least one of the tag keys in the request matches one of the tag keys in the policy. The `ForAllValues` operator requires that all of the tag keys in the request match one of the tag keys in the policy. The `ForAllValues` operator also returns `true` if there are no tags in the request, but TagResource and UntagResource fail when no tags are specified. For details about the set operators, see [Use multiple keys and values](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_multi-value-conditions.html#reference_policies_multi-key-or-value-conditions) in the *IAM User Guide*.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "IAMPolicyCreateKey",
      "Effect": "Allow",
      "Action": "kms:CreateKey",
      "Resource": "*"
    },
    {
      "Sid": "IAMPolicyViewAllTags",
      "Effect": "Allow",
      "Action": "kms:ListResourceTags",
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "IAMPolicyManageTags",
      "Effect": "Allow",
      "Action": [
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*",
      "Condition": {
          "ForAllValues:StringEquals": {"aws:TagKeys": "Project"}
      }
    }
  ]
}
```

------

# Add tags to a KMS key
<a name="add-tags"></a>

Tags help identify and organize your AWS resources. You can add tags to a customer managed key when you [create the KMS key](create-keys.md), or add tags to existing KMS keys. You cannot tag AWS managed keys.

The following procedures demonstrate how to add tags to customer managed keys using the AWS KMS console and AWS KMS API. The AWS KMS API examples use the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/), but you can use any supported programming language.

**Topics**
+ [

## Add tags while creating a KMS key
](#tag-on-create)
+ [

## Add tags to existing KMS keys
](#tag-exisiting)

## Add tags while creating a KMS key
<a name="tag-on-create"></a>

You can add tags to a KMS key as you create the key using the AWS KMS console or the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation. To add tags when creating a KMS key, you must have `kms:TagResource` permission in an IAM policy in addition to the permissions required to create KMS keys. At a minimum, the permission must cover all KMS keys in the account and Region. For details, see [Controlling access to tags](tag-permissions.md).

### Using the AWS KMS console
<a name="tag-on-create-console"></a>

To add tags when creating a KMS key in the console, you must have the permissions required to view KMS keys in the console in addition to the permissions required to tag and create KMS keys. At a minimum, the permission must cover all KMS keys in the account and Region.

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**. (You cannot manage the tags of an AWS managed key)

1. Choose the key type, then choose **Next**.

1. Enter an alias and optional description.

1. Enter a tag key and, optionally, a tag value. To add additional tags, choose **Add tag**. To delete a tag, choose **Remove**. When you're done tagging your new KMS key, choose **Next**.

1. Finish creating your KMS key.

### Using the AWS KMS API
<a name="tagging-keys-create-key"></a>

To specify tags when creating keys using the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation, use the `Tags` parameter of the operation. 

The value of the `Tags` parameter of `CreateKey` is a collection of case-sensitive tag key and tag value pairs. Each tag on a KMS key must have a different tag name. The tag value can be a null or empty string.

For example, the following AWS CLI command creates a symmetric encryption KMS key with a `Project:Alpha` tag. When specifying more than one key-value pair, use a space to separate each pair.

```
$ aws kms create-key --tags TagKey=Project,TagValue=Alpha
```

When this command is successful, it returns a `KeyMetadata` object with information about the new KMS key. However, the `KeyMetadata` does not include tags. To get the tags, use the [ListResourceTags](view-tags.md#tagging-keys-list-resource-tags) operation.

## Add tags to existing KMS keys
<a name="tag-exisiting"></a>

You can add tags to your existing customer managed KMS keys in the AWS KMS console or by using the [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) operation. To add tags, you need tagging permission on the KMS key. You can get this permission from the key policy for the KMS key or, if the key policy allows it, from an IAM policy that includes the KMS key.

### Using the AWS KMS console
<a name="tag-existing-console"></a>

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**. (You cannot manage the tags of an AWS managed key)

1. You can use the table filter to display only KMS keys with particular tags. For details, see [View tags using the AWS KMS console](view-tags.md#view-tag-console).

1. Select the check box next to the alias of a KMS key.

1. Choose **Key actions**, **Add or edit tags**.

1. On the details page for KMS key, choose the **Tags** tab.
   + To create your first tag, choose **Create tag**, type a tag key (required) and tag value (optional), and then choose **Save**.

     If you leave the tag value blank, the actual tag value is a null or empty string.
   + To add a tag, choose **Edit**, choose **Add tag**, type a tag key and tag value, and then choose **Save**.

1. To save your changes, choose **Save changes**.

### Using the AWS KMS API
<a name="tagging-keys-tag-resource"></a>

The [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) operation adds one or more tags to a KMS key. You cannot use this operation to add tags in a different AWS account. You can also use the TagResource operation to edit existing tags. For more information, see [Edit tags associated with a KMS key](edit-tags.md).

To add a tag, specify a new tag key and a tag value. Each tag on a KMS key must have a different tag key. The tag value can be a null or empty string.

For example, the following command adds **Purpose** and **Department** tags to an example KMS key.

```
$ aws kms tag-resource \
         --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
         --tags TagKey=Purpose,TagValue=Pretest TagKey=Department,TagValue=Finance
```

When this command is successful, it does not return any output. To view the tags on a KMS key, use the [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation.

# Edit tags associated with a KMS key
<a name="edit-tags"></a>

Tags help identify and organize your AWS resources. You can edit the tags associated with your customer managed KMS keys in the AWS KMS console or by using the [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) operation. You cannot edit the tags of an AWS managed key.

The following procedures demonstrate how to edit the tags associated with a KMS key. The AWS KMS API examples use the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/), but you can use any supported programming language.

## Using the AWS KMS console
<a name="edit-tag-console"></a>

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**. (You cannot edit the tags of an AWS managed key)

1. You can use the table filter to display only KMS keys with particular tags. For details, see [View tags using the AWS KMS console](view-tags.md#view-tag-console).

1. Select the check box next to the alias of a KMS key.

1. Choose **Key actions**, **Add or edit tags**.

1. On the details page for KMS key, choose the **Tags** tab.
   + To change the name or value of a tag, choose **Edit**, make your changes, and then choose **Save**.

1. To save your changes, choose **Save changes**.

## Using the AWS KMS API
<a name="tag-existing-api"></a>

The [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) operation add one or more tags to a customer managed key;. However, you can also use **TagResource** to change the tag value of an existing tag. You cannot use this operation to add or edit tags in a different AWS account.

To edit a tag, specify an existing tag key and a new tag value. Each tag on a KMS key must have a different tag key. The tag value can be a null or empty string.

For example, this command changes the value of the `Purpose` tag from `Pretest` to `Test`.

```
$ aws kms tag-resource \
         --key-id 1234abcd-12ab-34cd-56ef-1234567890ab \
         --tags TagKey=Purpose,TagValue=Test
```

# Remove tags associated with a KMS key
<a name="remove-tags"></a>

Tags help identify and organize your AWS resources. You can remove the tags associated with your customer managed KMS keys in the AWS KMS console or by using the [UntagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html) operation. You cannot edit or remove the tags of an AWS managed key.

The following procedures demonstrate how to remove tags from a KMS key. The AWS KMS API examples use the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/), but you can use any supported programming language.

## Using the AWS KMS console
<a name="delete-tag-console"></a>

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**. (You cannot manage the tags of an AWS managed key)

1. You can use the table filter to display only KMS keys with particular tags. For details, see [View tags using the AWS KMS console](view-tags.md#view-tag-console).

1. Select the check box next to the alias of a KMS key.

1. Choose **Key actions**, **Add or edit tags**.

1. On the details page for KMS key, choose the **Tags** tab.
   + To delete a tag, choose **Edit**. On the tag row, choose **Remove**, and then choose **Save**.

1. To save your changes, choose **Save changes**.

## Using the AWS KMS API
<a name="tagging-keys-untag-resource"></a>

The [UntagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html) operation deletes tags from a KMS key. To identify the tags to delete, specify the tag keys. You cannot use this operation to delete tags from KMS keys a different AWS account.

When it succeeds, the `UntagResource` operation doesn't return any output. Also, if the specified tag key isn't found on the KMS key, it doesn't throw an exception or return a response. To confirm that the operation worked, use the [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation.

For example, this command deletes the **Purpose** tag and its value from the specified KMS key.

```
$ aws kms untag-resource --key-id 1234abcd-12ab-34cd-56ef-1234567890ab --tag-keys Purpose
```

# View tags associated with a KMS key
<a name="view-tags"></a>

Tags help identify and organize your AWS resources. You can view the tags associated with your customer managed KMS keys in the AWS KMS console or by using the [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation.

The following procedures demonstrate how to find the tags associated with a specific KMS key. The AWS KMS API examples use the [AWS Command Line Interface (AWS CLI)](https://aws.amazon.com/cli/), but you can use any supported programming language.

## Using the AWS KMS console
<a name="view-tag-console"></a>

1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).

1. To change the AWS Region, use the Region selector in the upper-right corner of the page.

1. In the navigation pane, choose **Customer managed keys**. (You cannot manage the tags of an AWS managed key)

1. You can use the table filter to display only KMS keys with particular tags.

   To display only KMS keys with a particular tag, choose the filter box, choose the tag key, and then choose from among the actual tag values. You can also type all or part of the tag value.

   The resulting table displays all KMS keys with the chosen tag. However, it doesn't display the tag. To see the tag, choose the key ID or alias of the KMS key and on its detail page, choose the **Tags** tab. The tabs appear below the **General configuration** section.

   This filter requires both the tag key and tag value. It won't find KMS keys by typing only the tag key or only its value. To filter tags by all or part of the tag key or value, use the [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation to get tagged KMS keys, then use the filtering features of your programming language.

1. Select the check box next to the alias of a KMS key.

1. Choose **Key actions**, **Add or edit tags**.

1. On the details page for KMS key, choose the **Tags** tab.

## Using the AWS KMS API
<a name="tagging-keys-list-resource-tags"></a>

The [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation gets the tags for a KMS key. The `KeyId` parameter is required. You cannot use this operation to view the tags on KMS keys in a different AWS account.

For example, the following command gets the tags for an example KMS key.

```
$ aws kms list-resource-tags --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
       
  "Truncated": false,
  "Tags": [
      {
        "TagKey": "Project",
        "TagValue": "Alpha"
     },
     {
       "TagKey": "Purpose",
       "TagValue": "Test"
     },
     {
       "TagKey": "Department",
       "TagValue": "Finance"
     }
  ]
}
```

# Use tags to control access to KMS keys
<a name="tag-authorization"></a>

You can control access to AWS KMS keys based on the tags on the KMS key. For example, you can write an IAM policy that allows principals to enable and disable only the KMS keys that have a particular tag. Or you can use an IAM policy to prevent principals from using KMS keys in cryptographic operations unless the KMS key has a particular tag. 

This feature is part of AWS KMS support for [attribute-based access control](abac.md) (ABAC). For information about using tags to control access to AWS resources, see [What is ABAC for AWS?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) and [Controlling Access to AWS Resources Using Resource Tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html) in the *IAM User Guide*. For help resolving access issues related to ABAC, see [Troubleshooting ABAC for AWS KMS](troubleshooting-tags-aliases.md).

**Note**  
It might take up to five minutes for tag and alias changes to affect KMS key authorization. Recent changes might be visible in API operations before they affect authorization.

AWS KMS supports the [aws:ResourceTag/*tag-key*](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) [global condition context key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html), which lets you control access to KMS keys based on the tags on the KMS key. Because multiple KMS keys can have the same tag, this feature lets you apply the permission to a select set of KMS keys. You can also easily change the KMS keys in the set by changing their tags. 

In AWS KMS, the `aws:ResourceTag/tag-key` condition key is supported only in IAM policies. It isn't supported in key policies, which apply only to one KMS key, or on operations that don't use a particular KMS key, such as the [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) or [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html) operations.

Controlling access with tags provides a simple, scalable, and flexible way to manage permissions. However, if not properly designed and managed, it can allow or deny access to your KMS keys inadvertently. If you are using tags to control access, consider the following practices.
+ Use tags to reinforce the best practice of [least privileged access](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). Give IAM principals only the permissions they need on only the KMS keys they must use or manage. For example, use tags to label the KMS keys used for a project. Then give the project team permission to use only KMS keys with the project tag.
+ Be cautious about giving principals the `kms:TagResource` and `kms:UntagResource` permissions that let them add, edit, and delete tags. When you use tags to control access to KMS keys, changing a tag can give principals permission to use KMS keys that they didn't otherwise have permission to use. It can also deny access to KMS keys that other principals require to do their jobs. Key administrators who don't have permission to change key policies or create grants can control access to KMS keys if they have permission to manage tags.

  Whenever possible, use a policy condition, such as `aws:RequestTag/tag-key` or `aws:TagKeys` to [limit a principal's tagging permissions](tag-permissions.md#tag-permissions-conditions) to particular tags or tag patterns on particular KMS keys.
+ Review the principals in your AWS account that currently have tagging and untagging permissions and adjust them, if necessary. For example, the console [default key policy for key administrators](key-policy-default.md#key-policy-default-allow-administrators) includes `kms:TagResource` and `kms:UntagResource` permission on that KMS key. IAM policies might allow tag and untag permissions on all KMS keys. For example, the [AWSKeyManagementServicePowerUser](security-iam-awsmanpol.md#security-iam-awsmanpol-AWSKeyManagementServicePowerUser) managed policy allows principals to tag, untag, and list tags on all KMS keys.
+ Before setting a policy that depends on a tag, review the tags on the KMS keys in your AWS account. Make sure that your policy applies only to the tags you intend to include. Use [CloudTrail logs](logging-using-cloudtrail.md) and [CloudWatch alarms](monitoring-overview.md) to alert you to tag changes that might affect access to your KMS keys.
+ The tag-based policy conditions use pattern matching; they aren't tied to a particular instance of a tag. A policy that uses tag-based condition keys affects all new and existing tags that match the pattern. If you delete and recreate a tag that matches a policy condition, the condition applies to the new tag, just as it did to the old one.

For example, consider the following IAM policy. It allows the principals to call the [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) and [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operations only on KMS keys in your account that are the Asia Pacific (Singapore) Region and have a `"Project"="Alpha"` tag. You might attach this policy to roles in the example Alpha project.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "IAMPolicyWithResourceTag",
      "Effect": "Allow",
      "Action": [
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:Decrypt"
      ],
      "Resource": "arn:aws:kms:ap-southeast-1:111122223333:key/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Project": "Alpha"
        }
      }
    }
  ]
}
```

------

The following example IAM policy allows the principals to use any KMS key in the account for certain cryptographic operations. But it prohibits the principals from using these cryptographic operations on KMS keys with a `"Type"="Reserved"` tag or no `"Type"` tag.

------
#### [ JSON ]

****  

```
{
  "Version":"2012-10-17",		 	 	 
  "Statement": [
    {
      "Sid": "IAMAllowCryptographicOperations",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*"
    },
    {
      "Sid": "IAMDenyOnTag",
      "Effect": "Deny",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Type": "Reserved"
        }
      }
    },
    {
      "Sid": "IAMDenyNoTag",
      "Effect": "Deny",
      "Action": [
        "kms:Encrypt",
        "kms:GenerateDataKey*",
        "kms:Decrypt",
        "kms:ReEncrypt*"
      ],
      "Resource": "arn:aws:kms:*:111122223333:key/*",
      "Condition": {
        "Null": {
          "aws:ResourceTag/Type": "true"
        }
      }
    }
  ]
}
```

------