How do I list KMS key grants and principals by Region in AWS KMS?

2 minute read

I want to list AWS KMS key grants and principals for my AWS Key Management Service (AWS KMS) accounts by AWS Region.


You can retrieve the number of grants a KMS key has and the principles for each one by using the AWS Command Line Interface (AWS CLI) or AWS SDKs. Be sure that you install and configure the AWS CLI with policy permissions to perform list-keys and list-grants.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Run the following commands to list your KMS key and grants:

Note: Replace your-region with your AWS Region and your-AWS KMS-key-ID with your AWS KMS key ID.

aws kms list-keys --region <your-region>
aws kms list-grants --region <your-region> --key-id <your-AWS KMS-key-ID>

To query against all your KMS keys for a specific AWS Region, run this command:

for key in $(aws kms list-keys --region <your-region> --query 'Keys[].KeyId' --output text);do aws kms list-grants --region <your-region> --key-id $key; done

Note: This example uses the built-in AWS CLI --query option to filter elements from the output.

Run this command to list the number of grants each principal has for a KMS key:

aws kms list-grants --region <your-region> --key-id <your-AWS KMS-key-ID> | jq '.Grants[].GranteePrincipal' -r | sort | uniq -c;

Note: You must have jq installed to run this command. For instructions for installing jq, see JSON output format.

AWS OFFICIALUpdated 2 years ago