Is it possible to get a KMS Key ARN using CloudFormation using an alias? I want to give specific permissions to a Key in my AWS Account.
Something like the following?
- Effect: Allow
Action: kms:Decrypt
Resource:
- 'Fn::GetAtt':
- 'alias/someAliasOfAKMSKey'
- 'arn'
You can do something like this:
- Effect: Allow
Action:
- kms:Decrypt
Resource:
- !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/someKeyNameOfAKMSKey'