I want to list customer master key (CMK) grants and principals for my AWS Key Management Service (AWS KMS) accounts by AWS Region.

You can retrieve the number of grants a CMK has and the principles for each one by using the AWS Command Line Interface (AWS CLI) or AWS SDKs. Be sure that you install and configure the AWS CLI with policy permissions to perform list-keys and list-grants.

Run the following commands to list your CMK and grants:

Note: Replace enter your region with your AWS Region.

aws kms list-keys --region enter your region
aws kms list-grants --region enter your region --key-id 1234abcd-12ab-34cd-56ef-1234567890ab

To query against all your CMKs for a specific AWS Region, run this command:

for key in $(aws kms list-keys --region enter your region --query 'Keys[].KeyId' --output text);do aws kms list-grants --region <enter your region> --key-id $key; done

Note: This example uses the built-in AWS CLI --query option to filter elements from the output.

Run this command to list the number of grants each principal has for a KMS key:

aws kms list-grants --region enter your region --key-id 1234abcd-12ab-34cd-56ef-1234567890ab | jq '.Grants[].GranteePrincipal' -r | sort | uniq -c;

Note: You must have jq installed to run this command. For instructions for installing jq, see JSON Output Format.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-11-15

Updated: 2019-03-25