diff --git a/packages/@aws-cdk/aws-kms/lib/key.ts b/packages/@aws-cdk/aws-kms/lib/key.ts
index e55deee0ccb85..42f40d6803641 100644
--- a/packages/@aws-cdk/aws-kms/lib/key.ts
+++ b/packages/@aws-cdk/aws-kms/lib/key.ts
@@ -1,5 +1,5 @@
 import { PolicyDocument, PolicyStatement } from '@aws-cdk/aws-iam';
-import { Construct, DeletionPolicy, IConstruct, Output, resolve } from '@aws-cdk/cdk';
+import { Construct, DeletionPolicy, IConstruct, Output, resolve, TagManager, Tags } from '@aws-cdk/cdk';
 import { EncryptionKeyAlias } from './alias';
 import { CfnKey } from './kms.generated';
 
@@ -106,6 +106,11 @@ export interface EncryptionKeyProps {
    * administer the key will be created.
    */
   policy?: PolicyDocument;
+
+  /**
+   * The AWS resource tags to associate with the KMS key.
+   */
+  tags?: Tags;
 }
 
 /**
@@ -134,6 +139,11 @@ export class EncryptionKey extends EncryptionKeyBase {
     return new ImportedEncryptionKey(scope, id, props);
   }
 
+  /**
+   * Manage tags for this construct and children
+   */
+  public readonly tags: TagManager;
+
   public readonly keyArn: string;
   protected readonly policy?: PolicyDocument;
 
@@ -147,11 +157,14 @@ export class EncryptionKey extends EncryptionKeyBase {
       this.allowAccountToAdmin();
     }
 
+    this.tags = new TagManager(this, { initialTags: props.tags });
+
     const resource = new CfnKey(this, 'Resource', {
       description: props.description,
       enableKeyRotation: props.enableKeyRotation,
       enabled: props.enabled,
-      keyPolicy: this.policy
+      keyPolicy: this.policy,
+      tags: this.tags
     });
 
     this.keyArn = resource.keyArn;
diff --git a/packages/@aws-cdk/aws-kms/test/test.key.ts b/packages/@aws-cdk/aws-kms/test/test.key.ts
index 6ffa56c2806a6..155347aa7a225 100644
--- a/packages/@aws-cdk/aws-kms/test/test.key.ts
+++ b/packages/@aws-cdk/aws-kms/test/test.key.ts
@@ -143,7 +143,12 @@ export = {
 
     const key = new EncryptionKey(stack, 'MyKey', {
       enableKeyRotation: true,
-      enabled: false
+      enabled: false,
+      tags: {
+        tag1: 'value1',
+        tag2: 'value2',
+        tag3: ''
+      }
     });
     const p = new PolicyStatement().addAllResources().addAction('kms:encrypt');
     p.addAwsPrincipal('arn');
@@ -204,7 +209,21 @@ export = {
             }
           ],
           Version: "2012-10-17"
-          }
+          },
+          Tags: [
+            {
+              Key: "tag1",
+              Value: "value1"
+            },
+            {
+              Key: "tag2",
+              Value: "value2"
+            },
+            {
+              Key: "tag3",
+              Value: ""
+            }
+          ]
         },
         DeletionPolicy: "Retain"
         }