How can I view encryption information about my AMI or snapshot?

Last updated: 2020-10-08

How can I determine if my Amazon Machine Image (AMI) or snapshot is encrypted, and if it is, whether it uses an AWS managed Customer Master Key (CMK) or a customer managed CMK?

Short description

You can view encryption information for your snapshots or AMI using the console or using the AWS Command Line Interface (AWS CLI).



View encryption information using AWS CLI commands

1.     Run the describe-images command with the BlockDeviceMappings query filter to view the snapshots associated with the AMI. In the following example, replace image-ids and region with the ID and Region of your AMI.

# aws ec2 describe-images --image-ids ami-xxxxxxxxx --region eu-west-1 --query "Images[*].BlockDeviceMappings"
            "DeviceName": "/dev/xvda",
            "Ebs": {
                "DeleteOnTermination": true,
                "SnapshotId": "snap-xxxxxxxxx",
                "VolumeSize": 8,
                "VolumeType": "gp2",
                "Encrypted": true

The preceding command output example shows the snapshot associated with the AMI has the Encrypted parameter set to true.

2.    Run the describe-snapshots command using the snapshot-id of the snapshot listed in the output of the describe-images command:

# aws ec2 describe-snapshots --snapshot-ids snap-xxxxxxxxx  --region eu-west-1
    "Snapshots": [
            "Description": "Copied for DestinationAmi ami-xxxxxxxxx from SourceAmi ami-xxxxxxxxx for SourceSnapshot snap-xxxxxxxxx. Task created on 1,579,611,950,318.",
            "Encrypted": true,
            "KmsKeyId": "arn:aws:kms:eu-west-1:9208xxxxxxxxx:key/dcd4d062-xxxxxxxxx-xxxxxxxxxx",
            "OwnerId": "920893848407",
            "Progress": "100%",
            "SnapshotId": "snap-xxxxxxxxx",
            "StartTime": "2020-01-21T13:05:53.887Z",
            "State": "completed",
            "VolumeId": "vol-ffffffff",
            "VolumeSize": 8

In the command output, note the KMSKeyId.

3.    Run the describe-key command to determine whether the key is an AWS managed CMK or a customer managed CMK. In the following command, replace key-id with the KMSKeyId listed in the describe-snapshot command. Replace region with the snapshot's Region.

# aws kms describe-key --key-id dcd4d062-xxxxxxxxx-xxxxxxxxx  --region eu-west-1
    "KeyMetadata": {
        "AWSAccountId": "92xxxxxxxxx",
        "KeyId": "dcd4d062-xxxxxxxxx-xxxxxxxx",
        "Arn": "arn:aws:kms:eu-west-1:92xxxxxxxxx:key/dcd4d062-xxxxxxxxx-xxxxxxx",
        "CreationDate": 1579611763.538,
        "Enabled": true,
        "Description": "02-ratheed-CMK",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "KeyState": "Enabled",
        "Origin": "AWS_KMS",
        "KeyManager": "CUSTOMER",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "EncryptionAlgorithms": [

In the preceding output example, the "KeyManager" parameter is "Customer", indicating the key is a customer managed CMK. For an AWS managed key, the "KeyManager" parameter is "AWS".

View encryption information using the console

1.    Open the Amazon EC2 console, and then choose AMIs.

2.    Copy the ID of the AMI you want details for.

3.    Under Elastic Block Store, choose Snapshots.

4.    Paste the AMI ID into the search box, and then press ENTER.

5.    Select the snapshot, and then on the Description tab, verify if Encryption is set to Encrypted or Not Encrypted. If the snapshot is encrypted, note the KMS Key ID and KMS Key ARN.

6.    Open the AWS Key Management Service (AWS KMS) console.

7.    Select AWS managed keys and then paste the KMS Key ID into the filter box. If no results appear, choose Customer managed keys and then paste the KMS Key ID into the filter box.

Note: You can't share AMIs that are encrypted with an AWS managed key. For more information, see Sharing a snapshot - Considerations.

Did this article help?

Do you need billing or technical support?