How do I list CMK grants and principals for my account by Region?

Last updated: 2019-03-25

I want to list customer master key (CMK) grants and principals for my AWS Key Management Service (AWS KMS) accounts by AWS Region.

Resolution

You can retrieve the number of grants a CMK has and the principles for each one by using the AWS Command Line Interface (AWS CLI) or AWS SDKs. Be sure that you install and configure the AWS CLI with policy permissions to perform list-keys and list-grants.

Run the following commands to list your CMK and grants:

Note: Replace enter your region with your AWS Region.

aws kms list-keys --region enter your region
aws kms list-grants --region enter your region --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

To query against all your CMKs for a specific AWS Region, run this command:

for key in $(aws kms list-keys --region enter your region --query 'Keys[].KeyId' --output text);do aws kms list-grants --region <enter your region> --key-id $key; done

Note: This example uses the built-in AWS CLI --query option to filter elements from the output.

Run this command to list the number of grants each principal has for a KMS key:

aws kms list-grants --region enter your region --key-id 1234abcd-12ab-34cd-56ef-1234567890ab | jq '.Grants[].GranteePrincipal' -r | sort | uniq -c;

Note: You must have jq installed to run this command. For instructions for installing jq, see JSON Output Format.


Did this article help you?

Anything we could improve?


Need more help?