Navigating to the key tables Navigating to key details Sorting and filtering your KMS keys Displaying KMS key details Customizing your KMS key tables

Viewing KMS keys in the console

In the AWS Management Console, you can view lists of your KMS keys in the account and Region and details about each KMS key.

Note

The AWS KMS console displays the KMS keys that you have permission to view in your account and Region. KMS keys in other AWS accounts do not appear in the console, even if you have permission to view, manage, and use them. To view KMS keys in other accounts, use the DescribeKey operation.

Navigating to the key tables

The AWS KMS keys in each account and Region are displayed in tables. There are separate tables for the KMS keys that you create and the KMS keys that AWS services create for you.

Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. For information about the different types of KMS keys, see AWS KMS keys.

Tip
To view AWS managed keys that are missing an alias, use the Customer managed keys page.
The AWS KMS console also displays the custom key stores in the account and Region. KMS keys that you create in custom key stores appear on the Customer managed keys page. For information about custom key stores, see Custom key stores.

Navigating to key details

There is a details page for every AWS KMS key in the account and Region. The details page displays the General configuration section for the KMS key and includes tabs that let authorized users view and manage the Cryptographic configuration and Key policy for the key. Depending on the type of key, the detail page might also include Aliases, Key material, Key rotation, Public key, Regionality and Tags tabs.

To navigate to the key details page for a KMS key.

Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. For information about the different types of KMS keys, see AWS KMS key.
To open the key details page, in the key table, choose the key ID or alias of the KMS key.

If the KMS key has multiple aliases, an alias summary (+n more) appears beside the name of the one of the aliases. Choosing the alias summary takes you directly to the Aliases tab on the key details page.

Sorting and filtering your KMS keys

To make it easier to find your KMS keys in the console, you can sort and filter the key tables.

Sort

You can sort KMS keys in ascending or descending order by their column values. This feature sorts all KMS keys in the table, even if they don't appear on the current table page.

Sortable columns are indicated by an arrow beside the column name. On the AWS managed keys page, you can sort by Aliases or Key ID. On the Customer managed keys page, you can sort by Aliases, Key ID, or Key type.

To sort in ascending order, choose the column heading until the arrow points upward. To sort in descending order, choose the column heading until the arrow points downward. You can sort by only one column at a time.

For example, you can sort KMS keys in ascending order by key ID, instead of aliases, which is the default.

When you sort KMS keys on the Customer managed keys page in ascending order by Key type, all asymmetric keys are displayed before all symmetric keys.

Filter

You can filter KMS keys by their property values or tags. The filter applies to all KMS keys in the table, even if they don't appear on the current table page. The filter is not case-sensitive.

Filterable properties are listed in the filter box. On the AWS managed keys page, you can filter by alias and key ID. On the Customer managed keys page, you can filter by the alias, key ID, and key type properties, and by tags.

On the AWS managed keys page, you can filter by alias and key ID.
On the Customer managed keys page, you can filter by tags, or by the alias, key ID, key type, or regionality properties.

To filter by a property value, choose the filter, choose the property name, and then choose from the list of actual property values. To filter by a tag, choose the tag key, and then choose from the list of actual tag values. After choosing a property or tag key, you can also type all or part of the property value or tag value. You'll see a preview of the results before you make your choice.

For example, to display KMS keys with an alias name that contains aws/e, choose the filter box, choose Alias, type aws/e, and then press Enter or Return to add the filter.

To display only asymmetric KMS keys on the Customer managed keys page, click the filter box, choose Key type and then choose Key type: Asymmetric. The Asymmetric option appears only when you have asymmetric KMS keys in the table. For more information about identifying asymmetric KMS keys, see Identifying asymmetric KMS keys.

To display only multi-Region keys, on the Customer managed keys page, choose the filter box, choose Regionality and then choose Regionality: Multi-Region. The Multi-Region option appears only when you have multi-Region keys in the table. For more information about identifying multi-Region keys, see Viewing multi-Region keys.

Tag filtering is a bit different. To display only KMS keys with a particular tag, choose the filter box, choose the tag key, and then choose from among the actual tag values. You can also type all or part of the tag value.

The resulting table displays all KMS keys with the chosen tag. However, it doesn't display the tag. To see the tag, choose the key ID or alias of the KMS key and on its detail page, choose the Tags tab. The tabs appear below the General configuration section.

This filter requires both the tag key and tag value. It won't find KMS keys by typing only the tag key or only its value. To filter tags by all or part of the tag key or value, use the ListResourceTags operation to get tagged KMS keys, then use the filtering features of your programming language. For an example, see ListResourceTags: Get the tags on KMS keys.

To search for text, in the filter box, type all or part of an alias, key ID, key type, or tag key. (After you select the tag key, you can search for a tag value ). You'll see a preview of the results before you make your choice.

For example, to display KMS keys with test in its tag keys or filterable properties, type test in the filter box. The preview shows the KMS keys that the filter will select. In this case, test appears only in the Alias property.

You can use multiple filters at the same time. When you add additional filters, you can also select a logical operator.

Displaying KMS key details

The details page for each KMS key displays the properties of the KMS key. It differs slightly for the different types of KMS keys.

To display detailed information about a KMS key, on the AWS managed keys or Customer managed keys page, choose the alias or key ID of the KMS key.

The details page for a KMS key includes a General Configuration section that displays the basic properties of the KMS key. It also includes tabs on which you can view and edit properties of the KMS key, such as Key policy, Cryptographic configuration, Tags, Key material (for KMS keys with imported key material), Key rotation (for symmetric encryption KMS keys), Regionality (for multi-Region keys), and Public key (for asymmetric KMS keys).

The following list describes the fields in the detailed display, including field in the tabs. Some of these fields are also available as columns in the table display.

Aliases

Where: Aliases tab

A friendly name for the KMS key. You can use an alias to identify the KMS key in the console and in some AWS KMS APIs. For details, see Using aliases.

The Aliases tab displays all aliases associated with the KMS key in the AWS account and Region.

ARN

Where: General configuration section

The Amazon Resource Name (ARN) of the KMS key. This value uniquely identifies the KMS key. You can use it to identify the KMS key in AWS KMS API operations.

Connection state

Indicates whether a custom key store is connected to its backing key store. This field appears only when the KMS key is created in a custom key store.

For information about the values in this field, see ConnectionState in the AWS KMS API Reference.

Creation date

Where: General configuration section

The date and time that the KMS key was created. This value is displayed in local time for the device. The time zone does not depend on the Region.

Unlike Expiration, the creation refers only to the KMS key, not its key material.

CloudHSM cluster ID

Where: Cryptographic configuration tab

The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key. This field appears only when the KMS key is created in a custom key store.

If you choose the CloudHSM cluster ID, it opens the Clusters page in the AWS CloudHSM console.

Custom key store ID

Where: Cryptographic configuration tab

The ID of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.

If you choose the custom key store ID, it opens the Custom key stores page in the AWS KMS console.

Custom key store name

Where: Cryptographic configuration tab

The name of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.

Custom key store type

Where: Cryptographic configuration tab

Indicates whether the custom key store is an AWS CloudHSM key store or an external key store. This field appears only when the KMS key is created in a custom key store.

Description

Where: General configuration section

A brief, optional description of the KMS key that you can write and edit. To add or update the description of a customer managed key, above General Configuration, choose Edit.

Encryption algorithms

Where: Cryptographic configuration tab

Lists the encryption algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Encrypt and decrypt. For information about the encryption algorithms that AWS KMS supports, see SYMMETRIC_DEFAULT key spec and RSA key specs for encryption and decryption.

Expiration date

Where: Key material tab

The date and time when the key material for the KMS key expires. This field appears only for KMS keys with imported key material, that is, when the Origin is External and the KMS key has key material that expires.

External key ID

Where: Cryptographic configuration tab

The ID of the external key that is associated with a KMS key in an external key store. This field appears only for KMS keys in an external key store.

External key status

Where: Cryptographic configuration tab

The most recent status that the external key store proxy reported for the external key associated with the KMS key. This field appears only for KMS keys in an external key store.

External key usage

Where: Cryptographic configuration tab

The cryptographic operations that are enabled on the external key associated with the KMS key. This field appears only for KMS keys in an external key store.

Key policy

Where: Key policy tab

Controls access to the KMS key along with IAM policies and grants. Every KMS key has one key policy. It is the only mandatory authorization element. To change the key policy of a customer managed key, on the Key policy tab, choose Edit. For details, see Key policies in AWS KMS.

Key rotation

Where: Key rotation tab

Enables and disables automatic rotation of the key material in a customer managed KMS key. To change the key rotation status of a customer managed key, use the check box on the Key rotation tab.

You can't enable or disable rotation of the key material in an AWS managed key. AWS managed keys are automatically rotated every year.

Key spec

Where: Cryptographic configuration tab

The type of key material in the KMS key. AWS KMS supports symmetric encryption KMS keys (SYMMETRIC_DEFAULT), HMAC KMS keys of different lengths, KMS keys for RSA keys of different lengths, and elliptic curve keys with different curves. For details, see Key spec.

Key type

Where: Cryptographic configuration tab

Indicates whether the KMS key is Symmetric or Asymmetric.

Key usage

Where: Cryptographic configuration tab

Indicates whether a KMS key can be used for Encrypt and decrypt, Sign and verify or Generate and verify MAC. For details, see Key usage.

Origin

Where: Cryptographic configuration tab

The source of the key material for the KMS key. Valid values are:

AWS KMS for key material that AWS KMS generates
AWS CloudHSM for KMS keys in AWS CloudHSM key store
External for imported key material (BYOK)
External key store for KMS keys in an external key store

MAC algorithms

Where: Cryptographic configuration tab

Lists the MAC algorithms that can be used with an HMAC KMS key in AWS KMS. This field appears only when the Key spec is an HMAC key spec (HMAC_*). For information about the MAC algorithms that AWS KMS supports, see Key specs for HMAC KMS keys.

Primary key

Where: Regionality tab

Indicates that this KMS key is a multi-Region primary key. Authorized users can use this section to change the primary key to a different related multi-Region key. This field appears only when the KMS key is a multi-Region primary key.

Public key

Where: Public key tab

Displays the public key of an asymmetric KMS key. Authorized users can use this tab to copy and download the public key.

Regionality

Where: General configuration section and Regionality tabs

Indicates whether a KMS key is a single-Region key, a multi-Region primary key, or a multi-Region replica key. This field appears only when the KMS key is a multi-Region key.

Related multi-Region keys

Where: Regionality tab

Displays all related multi-Region primary and replica keys, except for the current KMS key. This field appears only when the KMS key is a multi-Region key.

In the Related multi-Region keys section of a primary key, authorized users can create new replica keys.

Replica key

Where: Regionality tab

Indicates that this KMS key is a multi-Region replica key. This field appears only when the KMS key is a multi-Region replica key.

Signing algorithms

Where: Cryptographic configuration tab

Lists the signing algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Sign and verify. For information about the signing algorithms that AWS KMS supports, see RSA key specs for signing and verification and Elliptic curve key specs.

Status

Where: General configuration section

The key state of the KMS key. You can use the KMS key in cryptographic operations only when the status is Enabled. For a detailed description of each KMS key status and its effect on the operations that you can run on the KMS key, see Key states of AWS KMS keys.

Tags

Where: Tags tab

Optional key-value pairs that describe the KMS key. To add or change the tags for a KMS key, on the Tags tab, choose Edit.

When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tagging keys and ABAC for AWS KMS.

Customizing your KMS key tables

You can customize the tables that appear on the AWS managed keys and Customer managed keys pages in the AWS Management Console to suit your needs. You can choose the table columns, the number of AWS KMS keys on each page (Page size), and the text wrap. The configuration you choose is saved when you confirm it and reapplied whenever you open the pages.

To customize your KMS key tables

On the AWS managed keys or Customer managed keys page, choose the settings icon ( ) in the upper-right corner of the page.
On the Preferences page, choose your preferred settings, and then choose Confirm.

Consider using the Page size setting to increase the number of KMS keys displayed on each page, especially if you typically use a device that's easy to scroll.

The data columns that you display might vary depending on the table, your job role, and the types of KMS keys in the account and Region. The following table offers some suggested configurations. For descriptions of the columns, see Displaying KMS key details.

Suggested KMS key table configurations

You can customize the columns that appear in your KMS key table to display the information you need about your KMS keys.

AWS managed keys: By default, the AWS managed key table displays the Aliases, Key ID, and Status columns. These columns are ideal for most use cases.
Symmetric encryption KMS keys: If you use only symmetric encryption KMS keys with key material generated by AWS KMS, the Aliases, Key ID, Status, and Creation date columns are likely to be the most useful.
Asymmetric KMS keys: If you use asymmetric KMS keys, in addition to the Aliases, Key ID, and Status columns, consider adding the Key type, Key spec, and Key usage columns. These columns will show you whether a KMS key is symmetric or asymmetric, the type of key material, and whether the KMS key can be used for encryption or signing.
HMAC KMS keys: If you use HMAC KMS keys, in addition to the Aliases, Key ID, and Status columns, consider adding the Key spec and Key usage columns. These columns will show you whether a KMS key is an HMAC key. Because you can't sort KMS keys by key spec or key usage, use aliases and tags to identify your HMAC keys and then use the filter features of the AWS KMS console to filter by aliases or tags.
Imported key material: If you have KMS keys with imported key material, consider adding the Origin and Expiration date columns. These columns will show you whether the key material in a KMS key is imported or generated by AWS KMS and when the key material expires, if at all. The Creation date field displays the date that the KMS key was created (without key material). It doesn't reflect any characteristic of the key material.
Keys in custom key stores: If you have KMS keys in custom key stores, consider adding the Origin and Custom key store ID columns. These columns show that the KMS key is in a custom key store, display the custom key store type, and identify the custom key store.
Multi-Region keys: If you have multi-Region keys, consider adding the Regionality column. This shows whether a KMS key is a single-Region key, a multi-Region primary key or a multi-Region replica key.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Viewing keys

Viewing KMS keys with the API

Viewing KMS keys in the console

Note

Topics

Navigating to the key tables

Tip

Navigating to key details

Sorting and filtering your KMS keys

Displaying KMS key details

Customizing your KMS key tables

To customize your KMS key tables

Suggested KMS key table configurations