I want to list customer master key (CMK) grants and principals for my AWS Key Management Service (AWS KMS) accounts by Region.

You can retrieve the number of grants a CMK has and the principles for each one by using the AWS Command Line Interface (AWS CLI) or AWS SDKs. Be sure that you install and configure the AWS CLI with policy permissions to perform list-keys and list-grants.

Run the following commands to list your CMK and grants:

aws kms list-keys --region <enter your region>
aws kms list-grants --region <enter your region> --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

To query against all your CMKs for a specific Region, run this command:

for key in $(aws kms list-keys --region <enter your region> --query 'Keys[].KeyId' --output text);do aws kms list-grants --region <enter your region> --key-id $key; done

Note: This example uses the built-in AWS CLI --query option to filter elements from the output.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-11-15