Viewing KMS keys in the console - AWS Key Management Service

Viewing KMS keys in the console

In the AWS Management Console, you can view lists of your KMS keys and details about each KMS key.

Navigating to the key tables

The AWS KMS keys in each account and Region are displayed in tables. There are separate tables for the KMS keys that you create and the KMS keys that AWS services create for you.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. For information about the different types of KMS keys, see AWS KMS keys.

    Tip

    To view AWS managed keys that are missing an alias, use the Customer managed keys page.

    The AWS KMS console also displays the custom key stores in the account and Region. KMS keys that you create in custom key stores appear on the Customer managed keys page. For information about custom key stores, see Using a custom key store.

Navigating to key details

There is a details page for every AWS KMS key in the account and Region. The details page displays the General configuration section for the KMS key and includes tabs that let authorized users view and manage the Cryptographic configuration and Key policy for the key. Depending on the type of key, the detail page might also include Aliases, Key material, Key rotation and Tags tabs.

To navigate to the key details page for a KMS key.

  1. Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.

  2. To change the AWS Region, use the Region selector in the upper-right corner of the page.

  3. To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys. For information about the different types of KMS keys, see AWS KMS key.

  4. To open the key details page, in the key table, choose the key ID or alias of the KMS key.

    If the KMS key has multiple aliases, an alias summary (+n more) appears beside the name of the one of the aliases. Choosing the alias summary takes you directly to the Aliases tab on the key details page.

Sorting and filtering your KMS keys

To make it easier to find your KMS keys in the console, you can sort and filter the key tables.

Sort

You can sort KMS keys in ascending or descending order by their column values. This feature sorts all KMS keys in the table, even if they don't appear on the current table page.

Sortable columns are indicated by an arrow beside the column name. On the AWS managed keys page, you can sort by Aliases or Key ID. On the Customer managed keys page, you can sort by Aliases, Key ID, or Key type.

To sort in ascending order, choose the column heading until the arrow points upward. To sort in descending order, choose the column heading until the arrow points downward. You can sort by only one column at a time.

For example, you can sort KMS keys in ascending order by key ID, instead of aliases, which is the default.

When you sort KMS keys on the Customer managed keys page in ascending order by Key type, all asymmetric keys are displayed before all symmetric keys.

Filter

You can filter KMS keys by their property values or tags. The filter applies to all KMS keys in the table, even if they don't appear on the current table page. The filter is not case-sensitive.

Filterable properties are listed in the filter box. On the AWS managed keys page, you can filter by alias and key ID. On the Customer managed keys page, you can filter by the alias, key ID, and key type properties, and by tags.

  • On the AWS managed keys page, you can filter by alias and key ID.

  • On the Customer managed keys page, you can filter by tags, or by the alias, key ID, key type, or regionality properties.

To filter by a property value, choose the filter, choose the property name, and then choose from the list of actual property values. To filter by a tag, choose the tag key, and then choose from the list of actual tag values. After choosing a property or tag key, you can also type all or part of the property value or tag value. You'll see a preview of the results before you make your choice.

For example, to display KMS keys with an alias name that contains aws/e, choose the filter box, choose Alias, type aws/e, and then press Enter or Return to add the filter.

To display only asymmetric KMS keys on the Customer managed keys page, click the filter box, choose Key type and then choose Key type: Asymmetric. The Asymmetric option appears only when you have asymmetric KMS keys in the table. For more information about identifying asymmetric KMS keys, see Identifying symmetric and asymmetric KMS keys.

To display only multi-Region keys, on the Customer managed keys page, choose the filter box, choose Regionality and then choose Regionality: Multi-Region. The Multi-Region option appears only when you have multi-Region keys in the table. For more information about identifying multi-Region keys, see Viewing multi-Region keys.

Tag filtering is a bit different. To display only KMS keys with a particular tag, choose the filter box, choose the tag key, and then choose from among the actual tag values. You can also type all or part of the tag value.

The resulting table displays all KMS keys with the chosen tag. However, it doesn't display the tag. To see the tag, choose the key ID or alias of the KMS key and on its detail page, choose the Tags tab. The tabs appear below the General configuration section.

This filter requires both the tag key and tag value. It won't find KMS keys by typing only the tag key or only its value. To filter tags by all or part of the tag key or value, use the ListResourceTags operation to get tagged KMS keys, then use the filtering features of your programming language. For an example, see ListResourceTags: Get the tags on KMS keys.

To search for text, in the filter box, type all or part of an alias, key ID, key type, or tag key. (After you select the tag key, you can search for a tag value ). You'll see a preview of the results before you make your choice.

For example, to display KMS keys with test in its tag keys or filterable properties, type test in the filter box. The preview shows the KMS keys that the filter will select. In this case, test appears only in the Alias property.

You can use multiple filters at the same time. When you add additional filters, you can also select a logical operator.

Displaying KMS key details

The details page for each KMS key displays the properties of the KMS key. It differs slightly for the different types of KMS keys.

To display detailed information about a KMS key, on the AWS managed keys or Customer managed keys page, choose the alias or key ID of the KMS key.

The details page for a KMS key includes a General Configuration section that displays the basic properties of the KMS key. It also includes tabs on which you can view and edit properties of the KMS key, such as its key policy, cryptographic configuration, tags, key material (for KMS keys with imported key material), key rotation (for symmetric KMS keys), and its public key (for asymmetric KMS keys).

The following list describes the fields in the detailed display, including field in the tabs. Some of these fields are also available as columns in the table display.

Aliases

Where: Aliases tab

A friendly name for the KMS key. You can use an alias to identify the KMS key in the console and in some AWS KMS APIs. For details, see Using aliases.

The Aliases tab displays all aliases associated with the KMS key in the AWS account and Region.

ARN

Where: General configuration section

The Amazon Resource Name (ARN) of the KMS key. This value uniquely identifies the KMS key. You can use it to identify the KMS key in AWS KMS API operations.

Creation date

Where: General configuration section

The date and time that the KMS key was created. This value is displayed in local time for the device. The time zone does not depend on the Region.

Unlike Expiration, the creation refers only to the KMS key, not its key material.

CloudHSM cluster ID

Where: Cryptographic configuration tab

The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key. This field appears only when the KMS key is created in an AWS KMS custom key store.

If you choose the CloudHSM cluster ID, it opens the Clusters page in the AWS CloudHSM console.

Custom key store ID

Where: Cryptographic configuration tab

The ID of the custom key store that contains the KMS key. This field appears only when the KMS key is created in an AWS KMS custom key store.

If you choose the custom key store ID, it opens the Custom key stores page in the AWS KMS console.

Custom key store name

Where: Cryptographic configuration tab

The name of the custom key store that contains the KMS key. This field appears only when the KMS key is created in an AWS KMS custom key store.

Description

Where: General configuration section

A brief, optional description of the KMS key that you can write and edit. To add or update the description of a customer managed key, above General Configuration, choose Edit.

Encryption algorithms

Where: Cryptographic configuration tab

Lists the encryption algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Encrypt and decrypt. For information about the encryption algorithms that AWS KMS supports, see SYMMETRIC_DEFAULT key spec and RSA key specs for encryption and decryption.

Expiration date

Where: Key material tab

The date and time when the key material for the KMS key expires. This field appears only for KMS keys with imported key material, that is, when the Origin is External and the KMS key has key material that expires.

Key policy

Where: Key policy tab

Controls access to the KMS key along with IAM policies and grants. Every KMS key has one key policy. It is the only mandatory authorization element. To change the key policy of a customer managed key, on the Key policy tab, choose Edit. For details, see Using key policies in AWS KMS.

Key rotation

Where: Key rotation tab

Enables and disables automatic key rotation every year.

To change the key rotation status of a customer managed key, use the checkbox on the Key rotation tab. All AWS managed keys are automatically rotated every three years.

Key spec

Where: Cryptographic configuration tab

The type of key material in the KMS key. AWS KMS supports symmetric KMS keys (SYMMETRIC_DEFAULT), KMS keys for RSA keys of different lengths, and elliptic curve keys with different curves. For details, see Key spec.

Key type

Where: Cryptographic configuration tab

Indicates whether the KMS key is Symmetric or Asymmetric.

Key usage

Where: Cryptographic configuration tab

Indicates whether a KMS key can be used for Encrypt and decrypt or Sign and verify. Only asymmetric KMS keys can be used to sign and verify. For details, see Key usage.

Origin

Where: Cryptographic configuration tab

The source of the key material for the KMS key. Valid values are AWS_KMS for key material that AWS KMS generates, EXTERNAL for imported key material, and AWS_CloudHSM for KMS keys in custom key stores.

Primary key

Where: Regionality tab

Indicates that this KMS key is a multi-Region primary key. Authorized users can use this section to change the primary key to a different related multi-Region key.

Public key

Where: Public key tab

Displays the public key of an asymmetric KMS key. Authorized users can use this tab to copy and download the public key.

Regionality

Where: General configuration section and Regionality tabs

Indicates whether a KMS key is a single-Region key, a multi-Region primary key, or a multi-Region replica key.

Related multi-Region keys

Where: Regionality tab

Displays all related multi-Region primary and replica keys, except for the current KMS key.

In the Related multi-Region keys section of a primary key, authorized users can create new replica keys.

Replica key

Where: Regionality tab

Indicates that this KMS key is a multi-Region replica key.

Signing algorithms

Where: Cryptographic configuration tab

Lists the signing algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Sign and verify. For information about the signing algorithms that AWS KMS supports, see RSA key specs for signing and verification and Elliptic curve key specs.

Status

Where: General configuration section

The key state of the KMS key. You can use the KMS key in cryptographic operations only when the status is Enabled. For a detailed description of each KMS key status and its effect on the operations that you can run on the KMS key, see Key state: Effect on your KMS key.

Tags

Where: Tags tab

Optional key-value pairs that describe the KMS key. To add or change the tags for a KMS key, on the Tags tab, choose Edit.

When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tagging keys and Using ABAC for AWS KMS.

Customizing your KMS key tables

You can customize the tables that appear on the AWS managed keys and Customer managed keys pages in the AWS Management Console to suit your needs. You can choose the table columns, the number of AWS KMS keys on each page (Page size), and the text wrap. The configuration you choose is saved when you confirm it and reapplied whenever you open the pages.

To customize your KMS key tables

  1. On the AWS managed keys or Customer managed keys page, choose the settings icon ( ) in the upper-right corner of the page.

  2. On the Preferences page, choose your preferred settings, and then choose Confirm.

Consider using the Page size setting to increase the number of KMS keys displayed on each page, especially if you typically use a device that's easy to scroll.

The data columns that you display might vary depending on the table, your job role, and the types of KMS keys in the account and Region. The following table offers some suggested configurations. For descriptions of the columns, see Displaying KMS key details.

Suggested KMS key table configurations

You can customize the columns that appear in your KMS key table to display the information you need about your KMS keys.

AWS managed keys

By default, the AWS managed key table displays the Aliases, Key ID, and Status columns. These columns are ideal for most use cases.

Symmetric KMS keys

If you use only symmetric KMS keys with key material generated by AWS KMS, the Aliases, Key ID, Status, and Creation date columns are likely to be the most useful.

Asymmetric KMS keys

If you use asymmetric KMS keys, in addition to the Aliases, Key ID, and Status columns, consider adding the Key type, Key spec, and Key usage columns. These columns will show you whether a KMS key is symmetric or asymmetric, the type of key material, and whether the KMS key can be used for encryption or signing.

Imported key material

If you have KMS keys with imported key material, consider adding the Origin and Expiration date columns. These columns will show you whether the key material in a KMS key is imported or generated by AWS KMS and when the key material expires, if at all. The Creation date field displays the date that the KMS key was created (without key material). It doesn't reflect any characteristic of the key material.

Keys in custom key stores

If you have KMS keys in custom key stores, consider adding the Custom key store ID column. A value in this column indicates that the KMS key is in a custom key store, as well as showing which custom key store it's in.

Multi-Region keys

If you have multi-Region keys, consider adding the Regionality column. This shows whether a KMS key is a single-Region key, a multi-Region primary key or a multi-Region replica key.