AWS Key Management Service
Developer Guide

Viewing CMKs in a Custom Key Store

To view the customer master keys (CMKs) in a custom key store, use the same techniques that you would use to view any AWS KMS customer managed CMKs. To learn the basics, see Viewing Keys. To identify the keys in your AWS CloudHSM cluster that serve as key material for your CMK, see Finding CMKs and Key Material.

In the AWS Management Console, the CMKs in your custom key store are displayed along with all other customer managed CMKs your AWS account and Region.

However, the following values are specific to CMKs in a custom key store.

  • The name and ID of the custom key store that stores the CMK.

  • The cluster ID of the associated AWS CloudHSM cluster that contains their key material.

  • An Origin value of CloudHSM in the AWS Management Console or AWS_CLOUDHSM in API responses.

  • The key state value can be Unavailable. For help resolving the status, see How to Fix Unavailable CMKs.

To view the CMKs in a custom key store (Console)

  1. Open the AWS KMS console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. In the upper-right corner, choose the gear icon, choose Custom key store ID and Origin, then choose Confirm.

  5. To identify CMKs in any custom key store, look for CMKs with an Origin value of CloudHSM. To identify CMKs in a particular custom key store, view the values in the Custom key store ID column.

  6. Choose the alias or key ID of a CMK in a custom key store. This page for the CMK displays detailed information about the CMK, including information about its custom key store and cluster.

To view the CMKs in a custom key store (API)

You use the same AWS KMS API operations to view the CMKs in a custom key store that you would use for any CMK, including ListKeys, DescribeKey, and GetKeyPolicy. For example, the following DescribeKey API operation in the AWS CLI shows the special fields for a CMK in a custom key store. Before running a command like this one, replace the example CMK ID with a valid value.

$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab { "KeyMetadata": { "AWSAccountId": "111122223333", "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "CreationDate": 1537582718.431, "Enabled": true, "KeyManager": "CUSTOMER", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "Origin": "AWS_CLOUDHSM", "CloudHsmClusterId": "cluster-1a23b4cdefg", "CustomKeyStoreId": "cks-1234567890abcdef0", "Description": "CMK in custom key store" } }

For help finding the CMKs in a custom key store or identifying the keys in your AWS CloudHSM cluster that serve as key material for your CMK, see Finding CMKs and Key Material.