Access and list KMS key details
You can use the AWS KMS console
The following procedures demonstrate how to access KMS key details, such as the key ID, key spec, key usage, and more.
The details page for each KMS key displays the properties of the KMS key. It differs slightly for the different types of KMS keys.
To display detailed information about a KMS key, on the AWS managed keys or Customer managed keys page, choose the alias or key ID of the KMS key.
The details page for a KMS key includes a General Configuration section that displays the basic properties of the KMS key. It also includes tabs on which you can view and edit properties of the KMS key, such as Key policy, Cryptographic configuration, Tags, Key material (for KMS keys with imported key material), Key rotation (for symmetric encryption KMS keys), Regionality (for multi-Region keys), and Public key (for asymmetric KMS keys).
Note
The AWS KMS console displays the KMS keys that you have permission to view in your account and Region. KMS keys in other AWS accounts do not appear in the console, even if you have permission to view, manage, and use them. To view KMS keys in other accounts, use the DescribeKey operation.
To navigate to the key details page for a KMS key.
-
Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms
. -
To change the AWS Region, use the Region selector in the upper-right corner of the page.
-
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys.
-
To open the key details page, in the key table, choose the key ID or alias of the KMS key.
If the KMS key has multiple aliases, an alias summary (+n more) appears beside the name of the one of the aliases. Choosing the alias summary takes you directly to the Aliases tab on the key details page.
The following list describes the fields in the detailed display, including field in the tabs. Some of these fields are also available as columns in the table display.
- Aliases
-
Where: Aliases tab
A friendly name for the KMS key. You can use an alias to identify the KMS key in the console and in some AWS KMS APIs. For details, see Aliases in AWS KMS.
The Aliases tab displays all aliases associated with the KMS key in the AWS account and Region.
- ARN
-
Where: General configuration section
The Amazon Resource Name (ARN) of the KMS key. This value uniquely identifies the KMS key. You can use it to identify the KMS key in AWS KMS API operations.
- Connection state
-
Indicates whether a custom key store is connected to its backing key store. This field appears only when the KMS key is created in a custom key store.
For information about the values in this field, see ConnectionState in the AWS KMS API Reference.
- Creation date
-
Where: General configuration section
The date and time that the KMS key was created. This value is displayed in local time for the device. The time zone does not depend on the Region.
Unlike Expiration, the creation refers only to the KMS key, not its key material.
- CloudHSM cluster ID
-
Where: Cryptographic configuration tab
The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key. This field appears only when the KMS key is created in a custom key store.
If you choose the CloudHSM cluster ID, it opens the Clusters page in the AWS CloudHSM console.
- Custom key store ID
-
Where: Cryptographic configuration tab
The ID of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.
If you choose the custom key store ID, it opens the Custom key stores page in the AWS KMS console.
- Custom key store name
-
Where: Cryptographic configuration tab
The name of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.
- Custom key store type
-
Where: Cryptographic configuration tab
Indicates whether the custom key store is an AWS CloudHSM key store or an external key store. This field appears only when the KMS key is created in a custom key store.
- Description
-
Where: General configuration section
A brief, optional description of the KMS key that you can write and edit. To add or update the description of a customer managed key, above General Configuration, choose Edit.
- Encryption algorithms
-
Where: Cryptographic configuration tab
Lists the encryption algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Encrypt and decrypt. For information about the encryption algorithms that AWS KMS supports, see SYMMETRIC_DEFAULT key spec and RSA key specs for encryption and decryption.
- Expiration date
-
Where: Key material tab
The date and time when the key material for the KMS key expires. This field appears only for KMS keys with imported key material, that is, when the Origin is External and the KMS key has key material that expires.
- External key ID
-
Where: Cryptographic configuration tab
The ID of the external key that is associated with a KMS key in an external key store. This field appears only for KMS keys in an external key store.
- External key status
-
Where: Cryptographic configuration tab
The most recent status that the external key store proxy reported for the external key associated with the KMS key. This field appears only for KMS keys in an external key store.
- External key usage
-
Where: Cryptographic configuration tab
The cryptographic operations that are enabled on the external key associated with the KMS key. This field appears only for KMS keys in an external key store.
- Key policy
-
Where: Key policy tab
Controls access to the KMS key along with IAM policies and grants. Every KMS key has one key policy. It is the only mandatory authorization element. To change the key policy of a customer managed key, on the Key policy tab, choose Edit. For details, see Key policies in AWS KMS.
- Key rotation
-
Where: Key rotation tab
Enables and disables automatic rotation of the key material in a customer managed KMS key. To change the key rotation status of a customer managed key, use the check box on the Key rotation tab.
You can't enable or disable rotation of the key material in an AWS managed key. AWS managed keys are automatically rotated every year.
- Key spec
-
Where: Cryptographic configuration tab
The type of key material in the KMS key. AWS KMS supports symmetric encryption KMS keys (SYMMETRIC_DEFAULT), HMAC KMS keys of different lengths, KMS keys for RSA keys of different lengths, and elliptic curve keys with different curves. For details, see Key spec.
- Key type
-
Where: Cryptographic configuration tab
Indicates whether the KMS key is Symmetric or Asymmetric.
- Key usage
-
Where: Cryptographic configuration tab
Indicates whether a KMS key can be used for Encrypt and decrypt, Sign and verify or Generate and verify MAC. For details, see Key usage.
- Origin
-
Where: Cryptographic configuration tab
The source of the key material for the KMS key. Valid values are:
-
AWS KMS for key material that AWS KMS generates
-
AWS CloudHSM for KMS keys in AWS CloudHSM key store
-
External for imported key material (BYOK)
-
External key store for KMS keys in an external key store
-
- MAC algorithms
-
Where: Cryptographic configuration tab
Lists the MAC algorithms that can be used with an HMAC KMS key in AWS KMS. This field appears only when the Key spec is an HMAC key spec (HMAC_*). For information about the MAC algorithms that AWS KMS supports, see Key specs for HMAC KMS keys.
- Primary key
-
Where: Regionality tab
Indicates that this KMS key is a multi-Region primary key. Authorized users can use this section to change the primary key to a different related multi-Region key. This field appears only when the KMS key is a multi-Region primary key.
- Public key
-
Where: Public key tab
Displays the public key of an asymmetric KMS key. Authorized users can use this tab to copy and download the public key.
- Regionality
-
Where: General configuration section and Regionality tabs
Indicates whether a KMS key is a single-Region key, a multi-Region primary key, or a multi-Region replica key. This field appears only when the KMS key is a multi-Region key.
- Related multi-Region keys
-
Where: Regionality tab
Displays all related multi-Region primary and replica keys, except for the current KMS key. This field appears only when the KMS key is a multi-Region key.
In the Related multi-Region keys section of a primary key, authorized users can create new replica keys.
- Replica key
-
Where: Regionality tab
Indicates that this KMS key is a multi-Region replica key. This field appears only when the KMS key is a multi-Region replica key.
- Signing algorithms
-
Where: Cryptographic configuration tab
Lists the signing algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Sign and verify. For information about the signing algorithms that AWS KMS supports, see RSA key specs for signing and verification and Elliptic curve key specs.
- Status
-
Where: General configuration section
The key state of the KMS key. You can use the KMS key in cryptographic operations only when the status is Enabled. For a detailed description of each KMS key status and its effect on the operations that you can run on the KMS key, see Key states of AWS KMS keys.
- Tags
-
Where: Tags tab
Optional key-value pairs that describe the KMS key. To add or change the tags for a KMS key, on the Tags tab, choose Edit.
When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tags in AWS KMS and ABAC for AWS KMS.
The DescribeKey operation returns details about the specified KMS key. To identify the KMS key, use the key ID, key ARN, alias name, or alias ARN.
Unlike the ListKeys operation,
which displays only KMS keys in the caller's account and Region, authorized users
can use the DescribeKey
operation to get details about KMS keys in
other accounts.
Note
The DescribeKey
response includes both KeySpec
and
CustomerMasterKeySpec
members with the same values. The
CustomerMasterKeySpec
member is deprecated.
For example, this call to DescribeKey
returns information about a
symmetric encryption KMS key. The fields in the response vary with the AWS KMS key spec, key
state, and the key material origin. For
examples in multiple programming languages, see Use DescribeKey with an AWS SDK or CLI.
$
aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{ "KeyMetadata": { "Origin": "AWS_KMS", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Description": "", "KeyManager": "CUSTOMER", "Enabled": true, "KeySpec": "SYMMETRIC_DEFAULT", "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "KeyUsage": "ENCRYPT_DECRYPT", "KeyState": "Enabled", "CreationDate": 1499988169.234, "MultiRegion": false, "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ] } }
This example calls DescribeKey
operation on an asymmetric KMS key
used for signing and verification. The response includes the signing algorithms that
AWS KMS supports for this KMS key.
$
aws kms describe-key --key-id 0987dcba-09fe-87dc-65ba-ab0987654321
{ "KeyMetadata": { "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321", "Origin": "AWS_KMS", "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "KeyState": "Enabled", "KeyUsage": "SIGN_VERIFY", "CreationDate": 1569973196.214, "Description": "", "KeySpec": "ECC_NIST_P521", "CustomerMasterKeySpec": "ECC_NIST_P521", "AWSAccountId": "111122223333", "Enabled": true, "MultiRegion": false, "KeyManager": "CUSTOMER", "SigningAlgorithms": [ "ECDSA_SHA_512" ] } }