Access and list KMS key details

You can use the AWS KMS console or the DescribeKey operation to access and list detailed information about the KMS keys in the account and Region.

The following procedures demonstrate how to access KMS key details, such as the key ID, key spec, key usage, and more.

The details page for each KMS key displays the properties of the KMS key. It differs slightly for the different types of KMS keys.

To display detailed information about a KMS key, on the AWS managed keys or Customer managed keys page, choose the alias or key ID of the KMS key.

The details page for a KMS key includes a General Configuration section that displays the basic properties of the KMS key. It also includes tabs on which you can view and edit properties of the KMS key, such as Key policy, Cryptographic configuration, Tags, Key material (for KMS keys with imported key material), Key rotation (for symmetric encryption KMS keys), Regionality (for multi-Region keys), and Public key (for asymmetric KMS keys).

Note

The AWS KMS console displays the KMS keys that you have permission to view in your account and Region. KMS keys in other AWS accounts do not appear in the console, even if you have permission to view, manage, and use them. To view KMS keys in other accounts, use the DescribeKey operation.

To navigate to the key details page for a KMS key.

Sign in to the AWS Management Console and open the AWS Key Management Service (AWS KMS) console at https://console.aws.amazon.com/kms.
To change the AWS Region, use the Region selector in the upper-right corner of the page.
To view the keys in your account that you create and manage, in the navigation pane choose Customer managed keys. To view the keys in your account that AWS creates and manages for you, in the navigation pane, choose AWS managed keys.
To open the key details page, in the key table, choose the key ID or alias of the KMS key.

If the KMS key has multiple aliases, an alias summary (+n more) appears beside the name of the one of the aliases. Choosing the alias summary takes you directly to the Aliases tab on the key details page.

The following list describes the fields in the detailed display, including field in the tabs. Some of these fields are also available as columns in the table display.

Aliases

Where: Aliases tab

A friendly name for the KMS key. You can use an alias to identify the KMS key in the console and in some AWS KMS APIs. For details, see Aliases in AWS KMS.

The Aliases tab displays all aliases associated with the KMS key in the AWS account and Region.

ARN

Where: General configuration section

The Amazon Resource Name (ARN) of the KMS key. This value uniquely identifies the KMS key. You can use it to identify the KMS key in AWS KMS API operations.

Connection state

Indicates whether a custom key store is connected to its backing key store. This field appears only when the KMS key is created in a custom key store.

For information about the values in this field, see ConnectionState in the AWS KMS API Reference.

Creation date

Where: General configuration section

The date and time that the KMS key was created. This value is displayed in local time for the device. The time zone does not depend on the Region.

Unlike Expiration, the creation refers only to the KMS key, not its key material.

CloudHSM cluster ID

Where: Cryptographic configuration tab

The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key. This field appears only when the KMS key is created in a custom key store.

If you choose the CloudHSM cluster ID, it opens the Clusters page in the AWS CloudHSM console.

Custom key store ID

Where: Cryptographic configuration tab

The ID of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.

If you choose the custom key store ID, it opens the Custom key stores page in the AWS KMS console.

Custom key store name

Where: Cryptographic configuration tab

The name of the custom key store that contains the KMS key. This field appears only when the KMS key is created in a custom key store.

Custom key store type

Where: Cryptographic configuration tab

Indicates whether the custom key store is an AWS CloudHSM key store or an external key store. This field appears only when the KMS key is created in a custom key store.

Description

Where: General configuration section

A brief, optional description of the KMS key that you can write and edit. To add or update the description of a customer managed key, above General Configuration, choose Edit.

Encryption algorithms

Where: Cryptographic configuration tab

Lists the encryption algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Encrypt and decrypt. For information about the encryption algorithms that AWS KMS supports, see SYMMETRIC_DEFAULT key spec and RSA key specs for encryption and decryption.

Expiration date

Where: Key material tab

The date and time when the key material for the KMS key expires. This field appears only for KMS keys with imported key material, that is, when the Origin is External and the KMS key has key material that expires.

External key ID

Where: Cryptographic configuration tab

The ID of the external key that is associated with a KMS key in an external key store. This field appears only for KMS keys in an external key store.

External key status

Where: Cryptographic configuration tab

The most recent status that the external key store proxy reported for the external key associated with the KMS key. This field appears only for KMS keys in an external key store.

External key usage

Where: Cryptographic configuration tab

The cryptographic operations that are enabled on the external key associated with the KMS key. This field appears only for KMS keys in an external key store.

Key policy

Where: Key policy tab

Controls access to the KMS key along with IAM policies and grants. Every KMS key has one key policy. It is the only mandatory authorization element. To change the key policy of a customer managed key, on the Key policy tab, choose Edit. For details, see Key policies in AWS KMS.

Key rotation

Where: Key rotation tab

Enables and disables automatic rotation of the key material in a customer managed KMS key. To change the key rotation status of a customer managed key, use the check box on the Key rotation tab.

You can't enable or disable rotation of the key material in an AWS managed key. AWS managed keys are automatically rotated every year.

Key spec

Where: Cryptographic configuration tab

The type of key material in the KMS key. AWS KMS supports symmetric encryption KMS keys (SYMMETRIC_DEFAULT), HMAC KMS keys of different lengths, KMS keys for RSA keys of different lengths, and elliptic curve keys with different curves. For details, see Key spec.

Key type

Where: Cryptographic configuration tab

Indicates whether the KMS key is Symmetric or Asymmetric.

Key usage

Where: Cryptographic configuration tab

Indicates whether a KMS key can be used for Encrypt and decrypt, Sign and verify or Generate and verify MAC. For details, see Key usage.

Origin

Where: Cryptographic configuration tab

The source of the key material for the KMS key. Valid values are:

AWS KMS for key material that AWS KMS generates
AWS CloudHSM for KMS keys in AWS CloudHSM key store
External for imported key material (BYOK)
External key store for KMS keys in an external key store

MAC algorithms

Where: Cryptographic configuration tab

Lists the MAC algorithms that can be used with an HMAC KMS key in AWS KMS. This field appears only when the Key spec is an HMAC key spec (HMAC_*). For information about the MAC algorithms that AWS KMS supports, see Key specs for HMAC KMS keys.

Primary key

Where: Regionality tab

Indicates that this KMS key is a multi-Region primary key. Authorized users can use this section to change the primary key to a different related multi-Region key. This field appears only when the KMS key is a multi-Region primary key.

Public key

Where: Public key tab

Displays the public key of an asymmetric KMS key. Authorized users can use this tab to copy and download the public key.

Regionality

Where: General configuration section and Regionality tabs

Indicates whether a KMS key is a single-Region key, a multi-Region primary key, or a multi-Region replica key. This field appears only when the KMS key is a multi-Region key.

Related multi-Region keys

Where: Regionality tab

Displays all related multi-Region primary and replica keys, except for the current KMS key. This field appears only when the KMS key is a multi-Region key.

In the Related multi-Region keys section of a primary key, authorized users can create new replica keys.

Replica key

Where: Regionality tab

Indicates that this KMS key is a multi-Region replica key. This field appears only when the KMS key is a multi-Region replica key.

Signing algorithms

Where: Cryptographic configuration tab

Lists the signing algorithms that can be used with the KMS key in AWS KMS. This field appears only when the Key type is Asymmetric and the Key usage is Sign and verify. For information about the signing algorithms that AWS KMS supports, see RSA key specs for signing and verification and Elliptic curve key specs.

Status

Where: General configuration section

The key state of the KMS key. You can use the KMS key in cryptographic operations only when the status is Enabled. For a detailed description of each KMS key status and its effect on the operations that you can run on the KMS key, see Key states of AWS KMS keys.

Tags

Where: Tags tab

Optional key-value pairs that describe the KMS key. To add or change the tags for a KMS key, on the Tags tab, choose Edit.

When you add tags to your AWS resources, AWS generates a cost allocation report with usage and costs aggregated by tags. Tags can also be used to control access to a KMS key. For information about tagging KMS keys, see Tags in AWS KMS and ABAC for AWS KMS.

The DescribeKey operation returns details about the specified KMS key. To identify the KMS key, use the key ID, key ARN, alias name, or alias ARN.

Unlike the ListKeys operation, which displays only KMS keys in the caller's account and Region, authorized users can use the DescribeKey operation to get details about KMS keys in other accounts.

Note

The DescribeKey response includes both KeySpec and CustomerMasterKeySpec members with the same values. The CustomerMasterKeySpec member is deprecated.

For example, this call to DescribeKey returns information about a symmetric encryption KMS key. The fields in the response vary with the AWS KMS key spec, key state, and the key material origin. For examples in multiple programming languages, see Use DescribeKey with an AWS SDK or CLI.


$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

{
    "KeyMetadata": {
        "Origin": "AWS_KMS",
        "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
        "Description": "",
        "KeyManager": "CUSTOMER",
        "Enabled": true,
        "KeySpec": "SYMMETRIC_DEFAULT",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "CreationDate": 1499988169.234,
        "MultiRegion": false,
        "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
        "AWSAccountId": "111122223333",
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ]
    }
}

This example calls DescribeKey operation on an asymmetric KMS key used for signing and verification. The response includes the signing algorithms that AWS KMS supports for this KMS key.


$ aws kms describe-key --key-id 0987dcba-09fe-87dc-65ba-ab0987654321

{
    "KeyMetadata": {        
        "KeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
        "Origin": "AWS_KMS",
        "Arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
        "KeyState": "Enabled",
        "KeyUsage": "SIGN_VERIFY",
        "CreationDate": 1569973196.214,
        "Description": "",
        "KeySpec": "ECC_NIST_P521",
        "CustomerMasterKeySpec": "ECC_NIST_P521",
        "AWSAccountId": "111122223333",
        "Enabled": true,
        "MultiRegion": false,
        "KeyManager": "CUSTOMER",
        "SigningAlgorithms": [
            "ECDSA_SHA_512"
        ]
    }
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Find the key ID and key ARN

Identify different key types