diff --git a/config/config.go b/config/config.go
index c2475a2b9..6f34e0066 100644
--- a/config/config.go
+++ b/config/config.go
@@ -164,7 +164,7 @@ func getKeyGroupsFromCreationRule(cRule *creationRule, kmsEncryptionContext map[
 				keyGroup = append(keyGroup, pgp.NewMasterKeyFromFingerprint(k))
 			}
 			for _, k := range group.KMS {
-				keyGroup = append(keyGroup, kms.NewMasterKey(k.Arn, k.Role, k.Context))
+				keyGroup = append(keyGroup, kms.NewMasterKeyWithProfile(k.Arn, k.Role, k.Context, k.AwsProfile))
 			}
 			for _, k := range group.GCPKMS {
 				keyGroup = append(keyGroup, gcpkms.NewMasterKeyFromResourceID(k.ResourceID))
diff --git a/config/config_test.go b/config/config_test.go
index 4c43686c0..1c9814a41 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -93,6 +93,7 @@ creation_rules:
     key_groups:
     - kms:
       - arn: foo
+        aws_profile: bar
       pgp:
       - bar
       gcp_kms:
@@ -105,6 +106,7 @@ creation_rules:
       - 'https://foo.vault:8200/v1/foo/keys/foo-key'
     - kms:
       - arn: baz
+        aws_profile: foo
       pgp:
       - qux
       gcp_kms:
@@ -287,14 +289,14 @@ func TestLoadConfigFileWithGroups(t *testing.T) {
 				PathRegex: "",
 				KeyGroups: []keyGroup{
 					{
-						KMS:     []kmsKey{{Arn: "foo"}},
+						KMS:     []kmsKey{{Arn: "foo", AwsProfile: "bar"}},
 						PGP:     []string{"bar"},
 						GCPKMS:  []gcpKmsKey{{ResourceID: "foo"}},
 						AzureKV: []azureKVKey{{VaultURL: "https://foo.vault.azure.net", Key: "foo-key", Version: "fooversion"}},
 						Vault:   []string{"https://foo.vault:8200/v1/foo/keys/foo-key"},
 					},
 					{
-						KMS: []kmsKey{{Arn: "baz"}},
+						KMS: []kmsKey{{Arn: "baz", AwsProfile: "foo"}},
 						PGP: []string{"qux"},
 						GCPKMS: []gcpKmsKey{
 							{ResourceID: "bar"},
diff --git a/kms/keysource.go b/kms/keysource.go
index a28398090..1749b3455 100644
--- a/kms/keysource.go
+++ b/kms/keysource.go
@@ -88,6 +88,14 @@ func NewMasterKey(arn string, role string, context map[string]*string) *MasterKe
 	}
 }
 
+// NewMasterKeyWithProfile creates a new MasterKey from an ARN, role, context
+// and awsProfile, setting the creation date to the current date.
+func NewMasterKeyWithProfile(arn string, role string, context map[string]*string, awsProfile string) *MasterKey {
+	k := NewMasterKey(arn, role, context)
+	k.AwsProfile = awsProfile
+	return k
+}
+
 // NewMasterKeyFromArn takes an ARN string and returns a new MasterKey for that
 // ARN.
 func NewMasterKeyFromArn(arn string, context map[string]*string, awsProfile string) *MasterKey {