KMS Key ARN — Encryption Key References
Parse an AWS KMS key ARN to understand key ID formats, the difference between key ARN and key alias ARN, and how KMS ARNs appear in encryption contexts.
Detailed Explanation
KMS Key ARN Structure
AWS KMS key ARNs identify customer master keys (CMKs) used for encryption. The key ID is a UUID, and aliases provide human-readable names.
Example ARN
arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
Parsed Components
| Component | Value |
|---|---|
| Partition | aws |
| Service | kms |
| Region | us-east-1 |
| Account ID | 123456789012 |
| Resource Type | key |
| Resource ID | 12345678-1234-1234-1234-123456789012 |
Key ARN vs. Alias ARN
KMS keys can be referenced by their key ARN or by an alias ARN:
- Key ARN:
arn:aws:kms:us-east-1:123456789012:key/12345678-... - Alias ARN:
arn:aws:kms:us-east-1:123456789012:alias/my-app-key
The key ARN uses the UUID and never changes. Aliases are mutable pointers that can be reassigned to different keys. In IAM policies, referencing the key ARN is more stable, while aliases are more readable.
AWS-Managed Keys
AWS-managed keys have aliases prefixed with aws/:
arn:aws:kms:us-east-1:123456789012:alias/aws/s3
arn:aws:kms:us-east-1:123456789012:alias/aws/ebs
Key Policies and Grants
Every KMS key has a key policy that uses ARNs to define which principals can use the key. Key policies are unique in AWS — they are the only way to grant access to a KMS key. IAM policies alone cannot grant KMS access unless the key policy explicitly delegates to IAM.
Multi-Region Keys
Multi-region KMS keys have related keys in different regions, each with their own ARN. The keys share the same key material but are independent resources.
Use Case
Referencing KMS keys in S3 bucket encryption configurations, EBS volume encryption settings, and RDS instance encryption. The key ARN is also used in CloudFormation templates and Terraform configurations for specifying encryption at rest.