Viewing the cryptographic configuration of KMS keys
After you create your KMS key, you can view its cryptographic configuration. You cannot change the configuration of a KMS key after it is created. If you prefer a different configuration, delete the KMS key and create it again.
You can find the cryptographic configuration of your KMS keys, include the key spec, key usage, and supported encryption or signing algorithms, in the AWS KMS console or by using the AWS KMS API. For details, see Identifying asymmetric KMS keys.
In the AWS KMS console, the details page for each KMS key includes a Cryptographic configuration tab that displays cryptographic details about your KMS keys. For example, the following image shows the Cryptographic configuration tab for an RSA KMS key used for signing and verification.
The Cryptographic configuration tab for some special purpose KMS keys has additional specialized sections. For example, the Cryptographic configuration tab for a KMS key in a custom key store has a Custom key stores section. The Cryptographic configuration tab for a KMS key in an external key store has an External key section.
In the AWS KMS API, use the DescribeKey operation. The KeyMetadata structure in the response
includes the cryptographic configuration of the KMS key. For example,
DescribeKey returns the following response for an RSA KMS key used for
signing and verification.
{ "KeyMetadata": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": 1571767572.317, "CustomerMasterKeySpec": "RSA_2048", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "MultiRegion": false, "Origin": "AWS_KMS", "KeySpec": "RSA_2048", "KeyUsage": "SIGN_VERIFY", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] } }
