Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Find the KMS keys in an AWS CloudHSM key store

PDF
RSS
Focus mode
Find the KMS keys in an AWS CloudHSM key store - AWS Key Management Service
To find the KMS keys in an AWS CloudHSM key store (console)To find the KMS keys in an AWS CloudHSM key store (API)

If you manage an AWS CloudHSM key store, you might need to identify the KMS keys in each AWS CloudHSM key store. You can use this information to track the KMS key operations in AWS CloudTrail logs, predict the effect of disconnecting a custom key store on KMS keys, or schedule deletion of KMS keys before you delete an AWS CloudHSM key store.

To find the KMS keys in an AWS CloudHSM key store (console)

To find the KMS keys in a particular AWS CloudHSM key store, on the Customer managed keys page, view the values in the Custom Key Store Name or Custom Key Store ID fields. To identify KMS keys in any AWS CloudHSM key store, look for KMS keys with an Origin value of AWS CloudHSM. To add optional columns to the display, choose the gear icon in the upper right corner of the page.

To find the KMS keys in an AWS CloudHSM key store (API)

To find the KMS keys in an AWS CloudHSM key store, use the ListKeys and DescribeKey operations and then filter by CustomKeyStoreId value. Before running the following examples, replace the fictitious custom key store ID values with a valid value.

Bash

To find KMS keys in a particular AWS CloudHSM key store, get all of your KMS keys in the account and Region. Then filter by the custom key store ID. 

for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; 
do aws kms describe-key --key-id $key | 
grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done

To get KMS keys in any AWS CloudHSM key store in the account and Region, search for CustomKeyStoreType with a value of AWS_CloudHSM.

for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; 
do aws kms describe-key --key-id $key | 
grep '"CustomKeyStoreType": "AWS_CloudHSM"' --context 100; done
PowerShell

To find KMS keys in a particular AWS CloudHSM key store, use the Get-KmsKeyList and Get-KmsKey cmdlets to get all of your KMS keys in the account and Region. Then filter by the custom key store ID. 

PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreId -eq 'cks-1234567890abcdef0'

To get KMS keys in any AWS CloudHSM key store in the account and Region, filter for the CustomKeyStoreType value of AWS_CLOUDHSM.

PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreType -eq 'AWS_CLOUDHSM'
anchoranchor

To find KMS keys in a particular AWS CloudHSM key store, get all of your KMS keys in the account and Region. Then filter by the custom key store ID. 

for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; 
do aws kms describe-key --key-id $key | 
grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done

To get KMS keys in any AWS CloudHSM key store in the account and Region, search for CustomKeyStoreType with a value of AWS_CloudHSM.

for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ; 
do aws kms describe-key --key-id $key | 
grep '"CustomKeyStoreType": "AWS_CloudHSM"' --context 100; done

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.