# Identify and view keys
You can use [AWS Management Console](https://console.aws.amazon.com/kms) or the [AWS Key Management Service (AWS KMS) API](https://docs.aws.amazon.com/kms/latest/APIReference/) to view AWS KMS keys in each account and Region, including KMS keys that you manage and KMS keys that are managed by AWS.
**Topics**
+ [
# Find the key ID and key ARN
](find-cmk-id-arn.md)
+ [
# Access and list KMS key details
](finding-keys.md)
+ [
# Identify different key types
](identify-key-types.md)
+ [
# Customize your console view
](viewing-console-customize.md)
+ [
# Find KMS keys and key material in an AWS CloudHSM key store
](find-key-material.md)
# Find the key ID and key ARN
To identify an AWS KMS key, you can use the [key ID](concepts.md#key-id-key-id) or the Amazon Resource Name ([key ARN](concepts.md#key-id-key-ARN)). In [cryptographic operations](kms-cryptography.md#cryptographic-operations), you can also use the [alias name](concepts.md#key-id-alias-name) or [alias ARN](concepts.md#key-id-alias-ARN).
You can use the [AWS KMS console](https://console.aws.amazon.com/kms) or the [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) operation to identify the key ID and key ARN of each KMS key in your account and Region.
For detailed information about the KMS key identifiers supported by AWS KMS, see [Key identifiers (KeyId)](concepts.md#key-id). For help finding an alias name and alias ARN, see [Find the alias name and alias ARN for a KMS key](alias-view.md).
## Using the AWS KMS console
1. Open the AWS KMS console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. To view the keys in your account that you create and manage, in the navigation pane choose **Customer managed keys**. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose **AWS managed keys**.
1. To find the [key ID](concepts.md#key-id-key-id) for a KMS key, see the row that begins with the KMS key alias.
The **Key ID** column appears in the tables by default. If the Key ID column doesn't appear in your table, use the procedure described in [Customize your console view](viewing-console-customize.md) to restore it. You can also view the key ID of a KMS key on its details page.
![\[Customer managed keys table showing Key ID for a single key-test alias.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/find-key-id-new.png)
1. To find the Amazon Resource Name (ARN) of the KMS key, choose the key ID or alias. The [key ARN](concepts.md#key-id-key-ARN) appears in the **General Configuration** section.
![\[General configuration section showing key alias, status, and ARN details.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/find-key-arn.png)
## Using the AWS KMS API
To find the [key ID](concepts.md#key-id-key-id) and [key ARN](concepts.md#key-id-key-ARN) of an AWS KMS key, use the [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) operation.
The `ListKeys` operation returns the key ID and Amazon Resource Name (ARN) of all KMS keys in the caller's account and Region.
For example, this call to the `ListKeys` operation returns the ID and ARN of each KMS key in this fictitious account. For examples in multiple programming languages, see [Use `ListKeys` with an AWS SDK or CLI](example_kms_ListKeys_section.md).
```
$ aws kms list-keys
{
"Keys": [
{
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"KeyArn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"KeyArn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
]
}
```
# Access and list KMS key details
You can use the [AWS KMS console](https://console.aws.amazon.com/kms) or the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation to access and list detailed information about the KMS keys in the account and Region.
The following procedures demonstrate how to access KMS key details, such as the key ID, key spec, key usage, and more.
## Using the AWS KMS console
The details page for each KMS key displays the properties of the KMS key. It differs slightly for the different types of KMS keys.
To display detailed information about a KMS key, on the **AWS managed keys ** or **Customer managed keys** page, choose the alias or key ID of the KMS key.
The details page for a KMS key includes a **General Configuration** section that displays the basic properties of the KMS key. It also includes tabs on which you can view and edit properties of the KMS key, such as **Key policy**, **Cryptographic configuration**, **Tags**, **Key material and rotations** (for KMS keys that support automatic or on-demand rotation), **Regionality** (for multi-Region keys), and **Public key** (for asymmetric KMS keys).
**Note**
The AWS KMS console displays the KMS keys that you have [permission to view](customer-managed-policies.md#iam-policy-example-read-only-console) in your account and Region. KMS keys in other AWS accounts do not appear in the console, even if you have permission to view, manage, and use them. To view KMS keys in other accounts, use the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation.
To navigate to the key details page for a KMS key.
1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at [https://console.aws.amazon.com/kms](https://console.aws.amazon.com/kms).
1. To change the AWS Region, use the Region selector in the upper-right corner of the page.
1. To view the keys in your account that you create and manage, in the navigation pane choose **Customer managed keys**. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose **AWS managed keys**.
1. To open the key details page, in the key table, choose the key ID or alias of the KMS key.
If the KMS key has multiple aliases, an alias summary (**\$1*n* more**) appears beside the name of the one of the aliases. Choosing the alias summary takes you directly to the **Aliases** tab on the key details page.
![\[AWS KMScustomer managed key details showing general and cryptographic configurations.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/console-key-detail-view-symmetric-sm.png)
The following list describes the fields in the detailed display, including field in the tabs. Some of these fields are also available as columns in the table display.
**Aliases**
Where: Aliases tab
A friendly name for the KMS key. You can use an alias to identify the KMS key in the console and in some AWS KMS APIs. For details, see [Aliases in AWS KMS](kms-alias.md).
The **Aliases** tab displays all aliases associated with the KMS key in the AWS account and Region.
**ARN**
Where: General configuration section
The Amazon Resource Name (ARN) of the KMS key. This value uniquely identifies the KMS key. You can use it to identify the KMS key in AWS KMS API operations.
**Connection state**
Indicates whether a [custom key store](key-store-overview.md#custom-key-store-overview) is connected to its backing key store. This field appears only when the KMS key is created in a custom key store.
For information about the values in this field, see [ConnectionState](https://docs.aws.amazon.com/kms/latest/APIReference/API_CustomKeyStoresListEntry.html#KMS-Type-CustomKeyStoresListEntry-ConnectionState) in the *AWS KMS API Reference*.
**Creation date**
Where: General configuration section
The date and time that the KMS key was created. This value is displayed in local time for the device. The time zone does not depend on the Region.
Unlike **Expiration**, the creation refers only to the KMS key, not its key material.
**CloudHSM cluster ID**
Where: Cryptographic configuration tab
The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key. This field appears only when the KMS key is created in a [custom key store](key-store-overview.md#custom-key-store-overview).
If you choose the CloudHSM cluster ID, it opens the **Clusters** page in the AWS CloudHSM console.
**Current key material**
Where: General configuration section
Symmetric encryption keys with `AWS_KMS` origin support both automatic and on-demand rotation. Symmetric encryption keys with `EXTERNAL` origin support on-demand rotation. These keys can have multiple key materials associated with the key. The most recently rotated key material can be used for both encryption and decryption. This key material is identified as the current key material. Other key materials can only be used for decryption. Automatic or on-demand key rotation of a KMS key changes its current key material.
**Custom key store ID**
Where: Cryptographic configuration tab
The ID of the [custom key store](key-store-overview.md#custom-key-store-overview) that contains the KMS key. This field appears only when the KMS key is created in a custom key store.
If you choose the custom key store ID, it opens the **Custom key stores** page in the AWS KMS console.
**Custom key store name**
Where: Cryptographic configuration tab
The name of the [custom key store](key-store-overview.md#custom-key-store-overview) that contains the KMS key. This field appears only when the KMS key is created in a custom key store.
**Custom key store type**
Where: Cryptographic configuration tab
Indicates whether the custom key store is an [AWS CloudHSM key store](keystore-cloudhsm.md) or an [external key store](keystore-external.md). This field appears only when the KMS key is created in a [custom key store](key-store-overview.md#custom-key-store-overview).
**Description**
Where: General configuration section
A brief, optional description of the KMS key that you can write and edit. To add or update the description of a customer managed key, above **General Configuration**, choose **Edit**.
**Encryption algorithms**
Where: Cryptographic configuration tab
Lists the encryption algorithms that can be used with the KMS key in AWS KMS. This field appears only when the **Key type** is **Asymmetric** and the **Key usage** is **Encrypt and decrypt**. For information about the encryption algorithms that AWS KMS supports, see [SYMMETRIC\$1DEFAULT key spec](symm-asymm-choose-key-spec.md#symmetric-cmks) and [RSA key specs for encryption and decryption](symm-asymm-choose-key-spec.md#key-spec-rsa-encryption).
**Expiration date**
Where: Key material tab
The date and time when the key material for the KMS key expires. This field appears only for KMS keys with [imported key material](importing-keys.md), that is, when the **Origin** is **External** and the KMS key has key material that expires. Symmetric encryption keys can have multiple key materials associated with them. For such keys, this field indicates the earliest date and time when one of the associated key materials expires.
**External key ID**
Where: Cryptographic configuration tab
The ID of the [external key](keystore-external.md#concept-external-key) that is associated with a KMS key in an [external key store](keystore-external.md). This field appears only for KMS keys in an external key store.
**External key status**
Where: Cryptographic configuration tab
The most recent status that the [external key store proxy](keystore-external.md#concept-xks-proxy) reported for the [external key](keystore-external.md#concept-external-key) associated with the KMS key. This field appears only for KMS keys in an external key store.
**External key usage**
Where: Cryptographic configuration tab
The cryptographic operations that are enabled on the [external key](keystore-external.md#concept-external-key) associated with the KMS key. This field appears only for KMS keys in an external key store.
**Key policy**
Where: Key policy tab
Controls access to the KMS key along with [IAM policies](iam-policies.md) and [grants](grants.md). Every KMS key has one key policy. It is the only mandatory authorization element. To change the key policy of a customer managed key, on the **Key policy** tab, choose **Edit**. For details, see [Key policies in AWS KMS](key-policies.md).
**Key material and rotations**
Where: Key material and rotations tab
This tab only appears for symmetric encryption keys with `AWS_KMS` origin (which support both automatic and on-demand rotation) as well as single-Region, symmetric encryption keys with `EXTERNAL` origin (which support on-demand rotation).
The tab has three panels:
Automatic rotation: Enables and disables [automatic rotation](rotate-keys.md) of the key material in a [customer managed KMS key](concepts.md#customer-mgn-key). To change the key rotation status of a [customer managed key](concepts.md#customer-mgn-key), use the check box. You can't enable or disable rotation of the key material in an [AWS managed key](concepts.md#aws-managed-key). AWS managed keys are automatically rotated every year.
On-demand rotation: Initiate an [on-demand rotation](rotate-keys.md) of the key material in a [customer managed key](concepts.md#customer-mgn-key). For imported keys, there must already be an imported key material in `PENDING_ROTATION` state for the **Rotate now** option to be available.
Key materials: Lists all of the key materials associated with the KMS key. Each key material has a unique identifier and its row displays additional information about the key material such as the rotation date when the key material became available to use in KMS. For imported keys, each row also has an **Actions** menu that can be used to delete a specific key material or reimport it into the KMS key.
**Key spec**
Where: Cryptographic configuration tab
The type of key material in the KMS key. AWS KMS supports symmetric encryption KMS keys (SYMMETRIC\$1DEFAULT), HMAC KMS keys of different lengths, KMS keys for RSA keys of different lengths, and elliptic curve keys with different curves. For details, see [Key spec](create-keys.md#key-spec).
**Key type**
Where: Cryptographic configuration tab
Indicates whether the KMS key is **Symmetric** or **Asymmetric**.
**Key usage**
Where: Cryptographic configuration tab
Indicates whether a KMS key can be used for **Encrypt and decrypt**, **Sign and verify** or **Generate and verify MAC**. For details, see [Key usage](create-keys.md#key-usage).
**Origin**
Where: Cryptographic configuration tab
The source of the key material for the KMS key. Valid values are:
+ **AWS KMS** for key material that AWS KMS generates
+ **AWS CloudHSM** for KMS keys in [AWS CloudHSM key store](keystore-cloudhsm.md)
+ **External** for [imported key material](importing-keys.md) (BYOK)
+ **External key store** for KMS keys in an [external key store](keystore-external.md)
**MAC algorithms**
Where: Cryptographic configuration tab
Lists the MAC algorithms that can be used with an HMAC KMS key in AWS KMS. This field appears only when the **Key spec** is an HMAC key spec (HMAC\$1\$1). For information about the MAC algorithms that AWS KMS supports, see [Key specs for HMAC KMS keys](symm-asymm-choose-key-spec.md#hmac-key-specs).
**Primary key**
Where: Regionality tab
Indicates that this KMS key is a [multi-Region primary key](multi-region-keys-overview.md#mrk-primary-key). Authorized users can use this section to [change the primary key](multi-region-update.md) to a different related multi-Region key. This field appears only when the KMS key is a multi-Region primary key.
**Public key**
Where: Public key tab
Displays the public key of an asymmetric KMS key. Authorized users can use this tab to [copy and download the public key](download-public-key.md).
**Regionality**
Where: General configuration section and Regionality tabs
Indicates whether a KMS key is a single-Region key, a [multi-Region primary key](multi-region-keys-overview.md#mrk-primary-key), or a [multi-Region replica key](multi-region-keys-overview.md#mrk-replica-key). This field appears only when the KMS key is a multi-Region key.
**Related multi-Region keys**
Where: Regionality tab
Displays all related [multi-Region primary and replica keys](multi-region-keys-overview.md), except for the current KMS key. This field appears only when the KMS key is a multi-Region key.
In the **Related multi-Region keys** section of a primary key, authorized users can [create new replica keys](multi-region-keys-replicate.md).
**Replica key**
Where: Regionality tab
Indicates that this KMS key is a [multi-Region replica key](multi-region-keys-overview.md#mrk-replica-key). This field appears only when the KMS key is a multi-Region replica key.
**Signing algorithms**
Where: Cryptographic configuration tab
Lists the signing algorithms that can be used with the KMS key in AWS KMS. This field appears only when the **Key type** is **Asymmetric** and the **Key usage** is **Sign and verify**. For information about the signing algorithms that AWS KMS supports, see [RSA key specs for signing and verification](symm-asymm-choose-key-spec.md#key-spec-rsa-sign) and [Elliptic curve key specs](symm-asymm-choose-key-spec.md#key-spec-ecc).
**Status**
Where: General configuration section
The key state of the KMS key. You can use the KMS key in [cryptographic operations](kms-cryptography.md#cryptographic-operations) only when the status is **Enabled**. For a detailed description of each KMS key status and its effect on the operations that you can run on the KMS key, see [Key states of AWS KMS keys](key-state.md).
**Tags**
Where: Tags tab
Optional key-value pairs that describe the KMS key. To add or change the tags for a KMS key, on the **Tags** tab, choose **Edit**.
When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see [Tags in AWS KMS](tagging-keys.md) and [ABAC for AWS KMS](abac.md).
## Using the AWS KMS API
The [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation returns details about the specified KMS key. To identify the KMS key, use the [key ID](concepts.md#key-id-key-id), [key ARN](concepts.md#key-id-key-ARN), [alias name](concepts.md#key-id-alias-name), or [alias ARN](concepts.md#key-id-alias-ARN).
Unlike the [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) operation, which displays only KMS keys in the caller's account and Region, authorized users can use the `DescribeKey` operation to get details about KMS keys in other accounts.
**Note**
The `DescribeKey` response includes both `KeySpec` and `CustomerMasterKeySpec` members with the same values. The `CustomerMasterKeySpec` member is deprecated.
For example, this call to `DescribeKey` returns information about a symmetric encryption KMS key. The fields in the response vary with the [AWS KMS key spec](create-keys.md#key-spec), [key state](key-state.md), and the [key material origin](create-keys.md#key-origin). For examples in multiple programming languages, see [Use `DescribeKey` with an AWS SDK or CLI](example_kms_DescribeKey_section.md).
```
$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"Description": "",
"KeyManager": "CUSTOMER",
"Enabled": true,
"KeySpec": "SYMMETRIC_DEFAULT",
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1499988169.234,
"MultiRegion": false,
"Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"AWSAccountId": "111122223333",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"CurrentKeyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
}
}
```
This example calls `DescribeKey` operation on an asymmetric KMS key used for signing and verification. The response includes the signing algorithms that AWS KMS supports for this KMS key.
```
$ aws kms describe-key --key-id 0987dcba-09fe-87dc-65ba-ab0987654321
{
"KeyMetadata": {
"KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"Origin": "AWS_KMS",
"Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"KeyState": "Enabled",
"KeyUsage": "SIGN_VERIFY",
"CreationDate": 1569973196.214,
"Description": "",
"KeySpec": "ECC_NIST_P521",
"CustomerMasterKeySpec": "ECC_NIST_P521",
"AWSAccountId": "111122223333",
"Enabled": true,
"MultiRegion": false,
"KeyManager": "CUSTOMER",
"SigningAlgorithms": [
"ECDSA_SHA_512"
]
}
}
```
# Identify different key types
The following topics explain how to identify different key types in the AWS KMS console and [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) responses.
For help navigating to the **Cryptographic configuration** tab on the details page for a KMS key, see [Access and list KMS key details](finding-keys.md).
**Topics**
+ [
## Identify asymmetric KMS keys
](#identify-asymm-keys)
+ [
## Identify HMAC KMS keys
](#hmac-view)
+ [
## Identify multi-Region KMS keys
](#multi-region-keys-view)
+ [
## Identify KMS keys with imported key material
](#identify-imported-keys)
+ [
## Identify KMS keys in AWS CloudHSM key stores
](#identify-key-hsm-keystore)
+ [
## Identify KMS keys in external key stores
](#view-xks-key)
## Identify asymmetric KMS keys
**In the AWS KMS console**
The **Key type** column of the **Customer managed keys** table shows whether each KMS key is symmetric or asymmetric. You can filter the table by the **Key type** value to display only asymmetric KMS keys. For more information see [Sort and filter your KMS keys](viewing-console-customize.md#viewing-console-filter).
The **Cryptographic configuration** tab on the details page for a KMS key displays the **Key Type**, which indicates whether the key is symmetric or asymmetric. It also displays the **Key Usage**, which indicates whether your asymmetric KMS key is used for encryption and decryption, signing and verification, or deriving shared secrets.
**In DescribeKey responses**
When you call the `DescribeKey` operation on an asymmetric KMS key the response includes the `KeySpec` and `KeyUsage` values, which can be used to determine if a KMS key is symmetric or asymmetric.
If the `KeySpec` value is `SYMMETRIC_DEFAULT`, the key is a symmetric encryption KMS key. For details on asymmetric key specs, see [Key spec reference](symm-asymm-choose-key-spec.md).
If the `KeyUsage` value is `SIGN_VERIFY` or `KEY_AGREEMENT`, the key is an asymmetric KMS key.
The `DescribeKey` operation also returns the following details for asymmetric KMS keys.
+ For asymmetric KMS keys with a `KeyUsage` value of `ENCRYPT_DECRYPT`, the operation returns the `EncryptionAlgorithms`, which lists the valid encryption algorithms for the key.
+ For asymmetric KMS keys with a `KeyUsage` value of `SIGN_VERIFY`, the operation returns the `SigningAlgorithms`, which lists the valid signing algorithms for the key.
+ For asymmetric KMS keys with a `KeyUsage` value of `KEY_AGREEMENT`, the operation returns the `KeyAgreementAlgorithms`, which lists the valid key agreement algorithms for the key.
For more information on asymmetric KMS keys, see [Asymmetric keys in AWS KMS](symmetric-asymmetric.md).
## Identify HMAC KMS keys
**In the AWS KMS console**
HMAC KMS keys are included in the **Customer managed keys** table, but you cannot sort or filter this table by the key spec or key usage values that identify HMAC keys. To make it easier to find your HMAC keys, assign them a distinctive alias or tag. Then you can sort or filter by the alias or tag.
The **Cryptographic configuration** tab on the details page for a KMS key displays the **Key Type**, which indicates whether the key is symmetric or asymmetric. HMAC KMS keys are symmetric. The **Cryptographic configuration** tab also displays the **Key Usage**. For HMAC KMS keys the key usage value is always **Generate and verify MAC**.
**In DescribeKey responses**
When you call the `DescribeKey` operation on an HMAC KMS key the response includes the `KeySpec` and `KeyUsage` values. For HMAC KMS keys the key usage value is always `GENERATE_VERIFY_MAC` and the key spec value always starts with `HMAC_`.
For more information on HMAC KMS keys, see [HMAC keys in AWS KMS](hmac.md).
## Identify multi-Region KMS keys
**In the AWS KMS console**
The **Customer managed keys** table only displays KMS keys in the selected Region. You can view multi-Region primary and replica keys in the selected Region. To change the AWS Region, use the Region selector in the upper-right corner of the console.
To make it easier to identify multi-Region keys in the **Customer managed keys** table, add the **Regionality** column to your table. For help, see [Customize your KMS key tables](viewing-console-customize.md#console-customize-tables).
The detail page for multi-Region KMS keys includes a **Regionality** tab. The **Regionality** tab for a primary key includes Change primary Region and Create new replica keys buttons. (The Regionality tab for a replica key has neither button.) The **Related multi-Region keys** section lists all multi-Region keys related to the current one. If the current key is a replica key, this list includes the primary key.
If you choose a related multi-Region key from the **Related multi-Region keys** table, the AWS KMS console changes to the Region of the selected key and it opens the detail page for the key. For example, if you choose the replica key in the `sa-east-1` Region from the example **Related multi-Region keys** section below, the AWS KMS console changes to the `sa-east-1` Region to display the detail page for that replica key. You might do this to view the alias or key policy for the replica key. To change the Region again, use the Region selector at the top right corner of the page.
**In DescribeKey responses**
By default, AWS KMS API operations are Regional and only return the resources in the current or specified Region. But, when you call the `DescribeKey` operation on a multi-Region KMS key, the response includes all related multi-Region keys in other AWS Regions in the `MultiRegionConfiguration` element.
For more information on multi-Region KMS keys, see [Multi-Region keys in AWS KMS](multi-region-keys-overview.md).
## Identify KMS keys with imported key material
**In the AWS KMS console**
To make it easier to identify KMS keys with imported key material in the **Customer managed keys** table, add the **Origin** column to your table. The **Origin** column makes it easy to identify KMS keys with an **External (Import Key material)** origin property value. For help, see [Customize your KMS key tables](viewing-console-customize.md#console-customize-tables).
The **Cryptographic configuration** tab on the details page for a KMS key displays the **Origin**, which identifies the source of the key material for the KMS key. For KMS keys with imported key material, the origin value is always **External (Import Key material)**. The details page also includes a **Key material** tab that provides detailed information about the imported key material. Symmetric encryption keys with `EXTERNAL` origin support on-demand rotations and can have multiple key materials associated with them. For such keys, the tab is labeled **Key material and rotations**.
**In DescribeKey responses**
When you call the `DescribeKey` operation on a KMS key with imported key material the response includes the `Origin`, `ExpirationModel`, and `ValidTo` values. For KMS keys with imported key material the origin value is always `EXTERNAL`. The `ExpirationModel` value indicates whether or not the key material is set to expire, and the `ValidTo` value indicates when the key material will expire. When multiple key materials are associated with a key, the `ValidTo` value indicates the earliest expiry time across all key materials (except for the one pending rotation) and `ExpirationModel` is set to `DOES_NOT_EXPIRE` only if none of these key materials are set to expire. For more information, see [Setting an expiration time (optional)](importing-keys-import-key-material.md#importing-keys-expiration).
For more information on KMS keys with imported key material, see [Importing key material for AWS KMS keys](importing-keys.md).
## Identify KMS keys in AWS CloudHSM key stores
**In the AWS KMS console**
To make it easier to identify KMS keys in AWS CloudHSM key stores in the **Customer managed keys** table, add the **Origin** column to your table. The **Origin** column makes it easy to identify KMS keys with an **AWS CloudHSM** origin property value. For help, see [Customize your KMS key tables](viewing-console-customize.md#console-customize-tables).
The **Cryptographic configuration** tab on the details page for a KMS key displays the **Origin**, which identifies the source of the key material for the KMS key. For KMS keys in AWS CloudHSM key stores, the origin value is always **AWS CloudHSM**.
For a KMS key in an AWS CloudHSM key store, the **Cryptographic configuration** tab includes an additional section, **Custom key store**, that provides information about the AWS CloudHSM key store and AWS CloudHSM cluster associated with the KMS key.
**In DescribeKey responses**
When you call the `DescribeKey` operation on a KMS key in an AWS CloudHSM key store the response includes the `Origin`, which identifies the source of the key material. For KMS keys in an AWS CloudHSM key store the origin value is always `AWS_CLOUDHSM`. The operation also returns the following special fields for KMS keys in AWS CloudHSM key stores:
+ `CloudHsmClusterId`
+ `CustomKeyStoreId`
For more information on AWS CloudHSM key stores, see [AWS CloudHSM key stores](keystore-cloudhsm.md).
## Identify KMS keys in external key stores
**In the AWS KMS console**
To make it easier to identify KMS keys in external key stores in the **Customer managed keys** table, add the **Origin** column to your table. The **Origin** column makes it easy to identify KMS keys with an **External key store** origin property value. For help, see [Customize your KMS key tables](viewing-console-customize.md#console-customize-tables).
The **Cryptographic configuration** tab on the details page for a KMS key displays the **Origin**, which identifies the source of the key material for the KMS key. For KMS keys in external key stores, the origin value is always **External key store**.
For a KMS key in an external key store, the **Cryptographic configuration** tab includes two additional sections, **Custom key store** and **External key**. The **Custom key store** table provides information about the external key store associated with the KMS key. The **External key** table appears in the AWS KMS console only for KMS keys in external key stores. It provides information about the external key associated with the KMS key. The [*external key*](keystore-external.md#concept-external-key) is a cryptographic key outside of AWS that serves as the key material for the KMS key in the external key store. When you encrypt or decrypt with the KMS key, the operation is performed by your [external key manager](keystore-external.md#concept-ekm) using the specified external key.
The following values appear in the **External key** section.
**External key ID**
The identifier for the external key in its external key manager. This is the value that the external key store proxy uses to identify the external key. You specify the ID of the external key when you create the KMS key and you cannot change it. If the external key ID value that you used to create the KMS key changes or becomes invalid, you must [schedule the KMS key for deletion](deleting-keys.md) and [create a new KMS key](create-xks-keys.md) with the correct external key ID value.
**In DescribeKey responses**
When you call the `DescribeKey` operation on a KMS key in an external key store the response includes the `Origin`, which identifies the source of the key material. For KMS keys in an AWS CloudHSM key store the origin value is always `EXTERNAL_KEY_STORE`. The operation also returns the `CustomKeyStoreId` element, which identifies the external key store associated with the KMS keys.
For more information on external key stores, see [External key stores](keystore-external.md).
# Customize your console view
You can customize the view of the AWS KMS console to make it easier to find your KMS keys. Customize the tables that appear on the **AWS managed keys** and **Customer managed keys** pages to display the information that you need the most, or sort and filter the KMS keys returned in the tables.
**Topics**
+ [
## Sort and filter your KMS keys
](#viewing-console-filter)
+ [
## Customize your KMS key tables
](#console-customize-tables)
## Sort and filter your KMS keys
To make it easier to find your KMS keys in the console, you can sort and filter the key tables.
**Sort**
You can sort KMS keys in ascending or descending order by their column values. This feature sorts all KMS keys in the table, even if they don't appear on the current table page.
Sortable columns are indicated by an arrow beside the column name. On the **AWS managed keys** page, you can sort by **Aliases** or **Key ID**. On the **Customer managed keys** page, you can sort by **Aliases**, **Key ID**, or **Key type**.
To sort in ascending order, choose the column heading until the arrow points upward. To sort in descending order, choose the column heading until the arrow points downward. You can sort by only one column at a time.
For example, you can sort KMS keys in ascending order by key ID, instead of aliases, which is the default.
![\[AWS managed keys interface showing sortable columns for Aliases and Key ID.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/console-sort.png)
When you sort KMS keys on the **Customer managed keys** page in ascending order by **Key type**, all asymmetric keys are displayed before all symmetric keys.
**Filter**
You can filter KMS keys by their property values or tags. The filter applies to all KMS keys in the table, even if they don't appear on the current table page. The filter is not case-sensitive.
Filterable properties are listed in the filter box. On the **AWS managed keys ** page, you can filter by alias and key ID. On the **Customer managed keys** page, you can filter by the alias, key ID, and key type properties, and by tags.
+ On the **AWS managed keys** page, you can filter by alias and key ID.
+ On the **Customer managed keys** page, you can filter by tags, or by the alias, key ID, key type, or regionality properties.
To filter by a property value, choose the filter, choose the property name, and then choose from the list of actual property values. To filter by a tag, choose the tag key, and then choose from the list of actual tag values. After choosing a property or tag key, you can also type all or part of the property value or tag value. You'll see a preview of the results before you make your choice.
For example, to display KMS keys with an alias name that contains `aws/e`, choose the filter box, choose **Alias**, type `aws/e`, and then press `Enter` or `Return` to add the filter.
![\[Search box for AWS managed keys with Aliases filter and example entries.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/filter-alias.png)
### Suggested KMS key table filters
**Filter for asymmetric KMS keys**
To display only asymmetric KMS keys on the **Customer managed keys** page, click the filter box, choose **Key type** and then choose **Key type: Asymmetric**. The **Asymmetric** option appears only when you have asymmetric KMS keys in the table.
**Filter for multi-Region keys**
To display only multi-Region keys, on the **Customer managed keys** page, choose the filter box, choose **Regionality** and then choose **Regionality: Multi-Region**. The **Multi-Region** option appears only when you have multi-Region keys in the table.
**Filter for tags**
To display only KMS keys with a particular tag, choose the filter box, choose the tag key, and then choose from among the actual tag values. You can also type all or part of the tag value.
The resulting table displays all KMS keys with the chosen tag. However, it doesn't display the tag. To see the tag, choose the key ID or alias of the KMS key and on its detail page, choose the **Tags** tab. The tabs appear below the **General configuration** section.
This filter requires both the tag key and tag value. It won't find KMS keys by typing only the tag key or only its value. To filter tags by all or part of the tag key or value, use the [ListResourceTags](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListResourceTags.html) operation to get tagged KMS keys, then use the filtering features of your programming language.
**Filter by text**
To search for text, in the filter box, type all or part of an alias, key ID, key type, or tag key. (After you select the tag key, you can search for a tag value ). You'll see a preview of the results before you make your choice.
For example, to display KMS keys with `test` in its tag keys or filterable properties, type `test` in the filter box. The preview shows the KMS keys that the filter will select. In this case, `test` appears only in the **Alias** property.
## Customize your KMS key tables
You can customize the tables that appear on the **AWS managed keys** and **Customer managed keys** pages in the AWS Management Console to suit your needs. You can choose the table columns, the number of AWS KMS keys on each page (**Page size**), and the text wrap. The configuration you choose is saved when you confirm it and reapplied whenever you open the pages.
**To customize your KMS key tables**
1. On the **AWS managed keys** or **Customer managed keys** page, choose the settings icon (![\[Gear or cog icon representing settings or configuration options.\]](http://docs.aws.amazon.com/kms/latest/developerguide/images/console-icon-settings-new.png)) in the upper-right corner of the page.
1. On the **Preferences** page, choose your preferred settings, and then choose **Confirm**.
Consider using the **Page size** setting to increase the number of KMS keys displayed on each page, especially if you typically use a device that's easy to scroll.
The data columns that you display might vary depending on the table, your job role, and the types of KMS keys in the account and Region. The following table offers some suggested configurations. For descriptions of the columns, see [Using the AWS KMS console](finding-keys.md#viewing-console-details).
### Suggested KMS key table configurations
You can customize the columns that appear in your KMS key table to display the information you need about your KMS keys.
**AWS managed keys**
By default, the **AWS managed key** table displays the **Aliases**, **Key ID**, and **Status** columns. These columns are ideal for most use cases.
**Symmetric encryption KMS keys**
If you use only symmetric encryption KMS keys with key material generated by AWS KMS, the **Aliases**, **Key ID**, **Status**, and **Creation date** columns are likely to be the most useful.
**Asymmetric KMS keys**
If you use asymmetric KMS keys, in addition to the **Aliases**, **Key ID**, and **Status** columns, consider adding the **Key type**, **Key spec**, and **Key usage** columns. These columns will show you whether a KMS key is symmetric or asymmetric, the type of key material, and whether the KMS key can be used for encryption or signing.
**HMAC KMS keys**
If you use HMAC KMS keys, in addition to the **Aliases**, **Key ID**, and **Status** columns, consider adding the **Key spec** and **Key usage** columns. These columns will show you whether a KMS key is an HMAC key. Because you can't sort KMS keys by key spec or key usage, use aliases and tags to identify your HMAC keys and then use the [filter features](#viewing-console-filter) of the AWS KMS console to filter by aliases or tags.
**Imported key material**
If you have KMS keys with [imported key material](importing-keys.md), consider adding the **Origin** and **Expiration date** columns. These columns will show you whether the key material in a KMS key is imported or generated by AWS KMS and when the key material expires, if at all. The **Creation date** field displays the date that the KMS key was created (without key material). It doesn't reflect any characteristic of the key material.
**Keys in custom key stores**
If you have KMS keys in [custom key stores](key-store-overview.md#custom-key-store-overview), consider adding the **Origin** and **Custom key store ID** columns. These columns show that the KMS key is in a custom key store, display the custom key store type, and identify the custom key store.
**Multi-Region keys**
If you have [multi-Region keys](multi-region-keys-overview.md), consider adding the **Regionality** column. This shows whether a KMS key is a single-Region key, a [multi-Region primary key](multi-region-keys-overview.md#mrk-primary-key) or a [multi-Region replica key](multi-region-keys-overview.md#mrk-replica-key).
# Find KMS keys and key material in an AWS CloudHSM key store
If you manage an AWS CloudHSM key store, you might need to identify the KMS keys in each AWS CloudHSM key store. For example, you might need to do some of the following tasks.
+ Track the KMS keys in AWS CloudHSM key store in AWS CloudTrail logs.
+ Predict the effect on KMS keys of disconnecting an AWS CloudHSM key store.
+ Schedule deletion of KMS keys before you delete an AWS CloudHSM key store.
In addition, you might want to identify the keys in your AWS CloudHSM cluster that serve as key material for your KMS keys. Although AWS KMS manages the KMS keys and the key material, you still retain control of and responsibility for the management of your AWS CloudHSM cluster, as well as the HSMs and backups and the keys in the HSMs. You might need to identify the keys in order to audit the key material, protect it from accidental deletion, or delete it from HSMs and cluster backups after deleting the KMS key.
All key material for the KMS keys in your AWS CloudHSM key store is owned by the [`kmsuser` crypto user](keystore-cloudhsm.md#concept-kmsuser) (CU). AWS KMS sets the key label attribute, which is viewable only in AWS CloudHSM, to the Amazon Resource Name (ARN) of the KMS key.
To find KMS keys and key material, use any of the following techniques.
+ [Find the KMS keys in an AWS CloudHSM key store](find-cmk-in-keystore.md) — How to identify the KMS keys in one or all of your AWS CloudHSM key stores.
+ [Find all keys for an AWS CloudHSM key store](find-all-kmsuser-keys.md) — How to find all keys in your cluster that serve as key material for the KMS keys in your AWS CloudHSM key store.
+ [Find the AWS CloudHSM key for a KMS key](find-handle-for-cmk-id.md) — How to find the key in your cluster that serves as key material for a particular KMS key in your AWS CloudHSM key store.
+ [Find the KMS key for an AWS CloudHSM key](find-label-for-key-handle.md) — How to find the KMS key for a particular key in your cluster.
# Find the KMS keys in an AWS CloudHSM key store
If you manage an AWS CloudHSM key store, you might need to identify the KMS keys in each AWS CloudHSM key store. You can use this information to track the KMS key operations in AWS CloudTrail logs, predict the effect of disconnecting a custom key store on KMS keys, or schedule deletion of KMS keys before you delete an AWS CloudHSM key store.
## To find the KMS keys in an AWS CloudHSM key store (console)
To find the KMS keys in a particular AWS CloudHSM key store, on the **Customer managed keys** page, view the values in the **Custom Key Store Name** or **Custom Key Store ID** fields. To identify KMS keys in any AWS CloudHSM key store, look for KMS keys with an **Origin** value of **AWS CloudHSM**. To add optional columns to the display, choose the gear icon in the upper right corner of the page.
## To find the KMS keys in an AWS CloudHSM key store (API)
To find the KMS keys in an AWS CloudHSM key store, use the [ListKeys](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeys.html) and [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operations and then filter by `CustomKeyStoreId` value. Before running the following examples, replace the fictitious custom key store ID values with a valid value.
------
#### [ Bash ]
To find KMS keys in a particular AWS CloudHSM key store, get all of your KMS keys in the account and Region. Then filter by the custom key store ID.
```
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ;
do aws kms describe-key --key-id $key |
grep '"CustomKeyStoreId": "cks-1234567890abcdef0"' --context 100; done
```
To get KMS keys in any AWS CloudHSM key store in the account and Region, search for `CustomKeyStoreType` with a value of `AWS_CloudHSM`.
```
for key in $(aws kms list-keys --query 'Keys[*].KeyId' --output text) ;
do aws kms describe-key --key-id $key |
grep '"CustomKeyStoreType": "AWS_CloudHSM"' --context 100; done
```
------
#### [ PowerShell ]
To find KMS keys in a particular AWS CloudHSM key store, use the [Get-KmsKeyList](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-KMSKeyList.html) and [Get-KmsKey](https://docs.aws.amazon.com/powershell/latest/reference/items/Get-KMSKey.html) cmdlets to get all of your KMS keys in the account and Region. Then filter by the custom key store ID.
```
PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreId -eq 'cks-1234567890abcdef0'
```
To get KMS keys in any AWS CloudHSM key store in the account and Region, filter for the CustomKeyStoreType value of `AWS_CLOUDHSM`.
```
PS C:\> Get-KMSKeyList | Get-KMSKey | where CustomKeyStoreType -eq 'AWS_CLOUDHSM'
```
------
# Find all keys for an AWS CloudHSM key store
You can identify the keys in your AWS CloudHSM cluster that serve as key material for your AWS CloudHSM key store. To do that, use the [key list](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI.
You can also use the **key list** command to find the AWS KMS for an AWS CloudHSM key. When AWS KMS creates the key material for a KMS key in your AWS CloudHSM cluster, it writes the Amazon Resource Name (ARN) of the KMS key in the key label. The **key list** command returns the `key-reference` and the `label`.
**Notes**
The following procedures use the AWS CloudHSM Client SDK 5 command line tool, [CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli.html). The CloudHSM CLI replaces `key-handle` with `key-reference`.
On January 1, 2025, AWS CloudHSM will end support for the Client SDK 3 command line tools, the CloudHSM Management Utility (CMU) and the Key Management Utility (KMU). For more information on the differences between the Client SDK 3 command line tools and the Client SDK 5 command line tool, see [Migrate from Client SDK 3 CMU and KMU to Client SDK 5 CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-migrate-from-kmu-cmu.html) in the *AWS CloudHSM User Guide*.
To run this procedure you need to disconnect the AWS CloudHSM key store temporarily so you can log in as the `kmsuser` CU.
1. Disconnect the AWS CloudHSM key store, if it is not already disconnected, then log in as `kmsuser`, as explained in [How to disconnect and log in](fix-keystore.md#login-kmsuser-1).
**Note**
While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
1. Use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI to find all keys for the current user present in your AWS CloudHSM cluster.
By default, only 10 keys of the currently logged in user are displayed, and only the `key-reference` and `label` are displayed as output. For more options, see [key list](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html#chsm-cli-key-list-syntax) in the *AWS CloudHSM User Guide*.
```
aws-cloudhsm > key list
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x0000000000000123",
"attributes": {
"label": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
},
{
"key-reference": "0x0000000000000456",
"attributes": {
"label": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
},.
...8 keys later...
],
"total_key_count": 56,
"returned_key_count": 10,
"next_token": "10"
}
}
```
1. Log out and reconnect the AWS CloudHSM key store as described in [How to log out and reconnect](fix-keystore.md#login-kmsuser-2).
# Find the KMS key for an AWS CloudHSM key
If you know the key reference or ID of a key that the `kmsuser` owns in the cluster, you can use that value to identify the associated KMS key in your AWS CloudHSM key store.
When AWS KMS creates the key material for a KMS key in your AWS CloudHSM cluster, it writes the Amazon Resource Name (ARN) of the KMS key in the key label. Unless you have changed the label value, you can use the [key list](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI to identify the KMS key associated with the AWS CloudHSM key.
**Notes**
The following procedures use the AWS CloudHSM Client SDK 5 command line tool, [CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli.html). The CloudHSM CLI replaces `key-handle` with `key-reference`.
On January 1, 2025, AWS CloudHSM will end support for the Client SDK 3 command line tools, the CloudHSM Management Utility (CMU) and the Key Management Utility (KMU). For more information on the differences between the Client SDK 3 command line tools and the Client SDK 5 command line tool, see [Migrate from Client SDK 3 CMU and KMU to Client SDK 5 CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-migrate-from-kmu-cmu.html) in the *AWS CloudHSM User Guide*.
To run these procedures you need to disconnect the AWS CloudHSM key store temporarily so you can log in as the `kmsuser` CU.
**Note**
While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
**Topics**
+ [
## Identify the KMS key associated with a key reference
](#key-reference-filter)
+ [
## Identify the KMS key associated with a backing key ID
](#backing-key-id-filter)
## Identify the KMS key associated with a key reference
The following procedures demonstrate how to use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI with the `key-reference` attribute filter to find the key in your cluster that serves as key material for a particular KMS key in your AWS CloudHSM key store.
1. Disconnect the AWS CloudHSM key store, if it is not already disconnected, then log in as `kmsuser`, as explained in [How to disconnect and log in](fix-keystore.md#login-kmsuser-1).
1. Use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI to filter by the `key-reference` attribute. Specify the `verbose` argument to include all attributes and key information for the matched key. If you don't specify the `verbose` argument, the **key list** operation only returns the matched key's key-reference and label attribute.
Before running this command, replace the example `key-reference` with a valid one from your account.
```
aws-cloudhsm > key list --filter attr.key-reference="0x0000000000120034" --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x0000000000120034",
"key-info": {
"key-owners": [
{
"username": "kmsuser",
"key-coverage": "full"
}
],
"shared-users": [],
"cluster-coverage": "full"
},
"attributes": {
"key-type": "aes",
"label": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"id": "0xbacking-key-id",
"check-value": "0x29bbd1",
"class": "my_test_key",
"encrypt": true,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": false,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": false,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": true,
"wrap-with-trusted": false,
"key-length-bytes": 32
}
}
],
"total_key_count": 1,
"returned_key_count": 1
}
}
```
1. Log out and reconnect the AWS CloudHSM key store as described in [How to log out and reconnect](fix-keystore.md#login-kmsuser-2).
## Identify the KMS key associated with a backing key ID
All CloudTrail log entries for cryptographic operations with a KMS key in an AWS CloudHSM key store include an `additionalEventData` field with the `customKeyStoreId` and `backingKeyId`. The value returned in the `backingKeyId` field correlates to the CloudHSM key `id` attribute. You can filter the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) operation by the `id` attribute to identify the KMS key associated with a specific `backingKeyId`.
1. Disconnect the AWS CloudHSM key store, if it is not already disconnected, then log in as `kmsuser`, as explained in [How to disconnect and log in](fix-keystore.md#login-kmsuser-1).
1. Use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI with the attribute filter to find the key in your cluster that serves as key material for a particular KMS key in your AWS CloudHSM key store.
The following example demonstrates how to filter by the `id` attribute. AWS CloudHSM recognizes the `id` value as a hexadecimal value. To filter the **key list** operation by the `id` attribute, you must first convert the `backingKeyId` value that you identified in your CloudTrail log entry into a format that AWS CloudHSM recognizes.
1. Use the following Linux command to convert the `backingKeyId` into a hexadecimal representation.
```
echo backingKeyId | tr -d '\n' | xxd -p
```
The following example demonstrates how to convert the `backingKeyId` byte array into a hexadecimal representation.
```
echo 5890723622dc15f699aa9ab2387a9f744b2b884c18b2186ee8ada4f556a2eb9d | tr -d '\n' | xxd -p
35383930373233363232646331356636393961613961623233383761396637343462326238383463313862323138366565386164613466353536613265623964
```
1. Prepend the hexadecimal representation of the `backingKeyId` with `0x`.
```
0x35383930373233363232646331356636393961613961623233383761396637343462326238383463313862323138366565386164613466353536613265623964
```
1. Use the converted `backingKeyId` value to filter by the `id` attribute. Specify the `verbose` argument to include all attributes and key information for the matched key. If you don't specify the `verbose` argument, the **key list** operation only returns the matched key's key-reference and label attribute.
```
aws-cloudhsm > key list --filter attr.id="0x35383930373233363232646331356636393961613961623233383761396637343462326238383463313862323138366565386164613466353536613265623964" --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x0000000000120034",
"key-info": {
"key-owners": [
{
"username": "kmsuser",
"key-coverage": "full"
}
],
"shared-users": [],
"cluster-coverage": "full"
},
"attributes": {
"key-type": "aes",
"label": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"id": "0x35383930373233363232646331356636393961613961623233383761396637343462326238383463313862323138366565386164613466353536613265623964",
"check-value": "0x29bbd1",
"class": "my_test_key",
"encrypt": true,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": false,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": false,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": true,
"wrap-with-trusted": false,
"key-length-bytes": 32
}
}
],
"total_key_count": 1,
"returned_key_count": 1
}
}
```
1. Log out and reconnect the AWS CloudHSM key store as described in [How to log out and reconnect](fix-keystore.md#login-kmsuser-2).
# Find the AWS CloudHSM key for a KMS key
You can use the KMS key ID of a KMS key in an AWS CloudHSM key store to identify the key in your AWS CloudHSM cluster that serves as its key material.
When AWS KMS creates the key material for a KMS key in your AWS CloudHSM cluster, it writes the Amazon Resource Name (ARN) of the KMS key in the key label. Unless you have changed the label value, you can use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI to find the key-resource and id of the key material for the KMS key.
All CloudTrail log entries for cryptographic operation with a KMS key in an AWS CloudHSM key store include an `additionalEventData` field with the `customKeyStoreId` and `backingKeyId`. The value returned in the `backingKeyId` field is the `id` AWS CloudHSM key attribute. You can filter the **key list** AWS CloudHSM CLI operation by KMS key ARN to identify the CloudHSM key `id` attribute associated with a specific KMS key.
To run this procedure, you need to disconnect the AWS CloudHSM key store temporarily so you can log in as the `kmsuser` CU.
**Notes**
The following procedures use the AWS CloudHSM Client SDK 5 command line tool, [CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli.html). The CloudHSM CLI replaces `key-handle` with `key-reference`.
On January 1, 2025, AWS CloudHSM will end support for the Client SDK 3 command line tools, the CloudHSM Management Utility (CMU) and the Key Management Utility (KMU). For more information on the differences between the Client SDK 3 command line tools and the Client SDK 5 command line tool, see [Migrate from Client SDK 3 CMU and KMU to Client SDK 5 CloudHSM CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-migrate-from-kmu-cmu.html) in the *AWS CloudHSM User Guide*.
1. Disconnect the AWS CloudHSM key store, if it is not already disconnected, then log in as `kmsuser`, as explained in [How to disconnect and log in](fix-keystore.md#login-kmsuser-1).
**Note**
While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.
1. Use the [https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-key-list.html) command in CloudHSM CLI and filter by `label` to find the KMS key for a particular key in your AWS CloudHSM cluster. Specify the `verbose` argument to include all attributes and key information for the matched key. If you don't specify the `verbose` argument, the **key list** operation only returns the matched key's key-reference and label attributes.
The following example demonstrates how to filter by the `label` attribute that stores the KMS key ARN. Before running this command, replace the example KMS key ARN with a valid one from your account.
```
aws-cloudhsm > key list --filter attr.label="arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" --verbose
{
"error_code": 0,
"data": {
"matched_keys": [
{
"key-reference": "0x0000000000120034",
"key-info": {
"key-owners": [
{
"username": "kmsuser",
"key-coverage": "full"
}
],
"shared-users": [],
"cluster-coverage": "full"
},
"attributes": {
"key-type": "aes",
"label": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"id": "0xbacking-key-id",
"check-value": "0x29bbd1",
"class": "my_test_key",
"encrypt": true,
"decrypt": true,
"token": true,
"always-sensitive": true,
"derive": false,
"destroyable": true,
"extractable": false,
"local": true,
"modifiable": true,
"never-extractable": false,
"private": true,
"sensitive": true,
"sign": false,
"trusted": false,
"unwrap": true,
"verify": false,
"wrap": true,
"wrap-with-trusted": false,
"key-length-bytes": 32
}
}
],
"total_key_count": 1,
"returned_key_count": 1
}
}
```
1. Log out and reconnect the AWS CloudHSM key store as described in [How to log out and reconnect](fix-keystore.md#login-kmsuser-2).