How do I list KMS key grants and principals by Region in AWS KMS?

2 minute read
0

I want to list AWS KMS key grants and principals for my AWS Key Management Service (AWS KMS) accounts by AWS Region.

Resolution

Use the AWS Command Line Interface (AWS CLI) or AWS SDKs to retrieve the number of grants and principals an AWS KMS key has. Make sure that you have permissions to run the list-keys and list-grants AWS CLI commands.

Note:

Run the following commands to list your AWS KMS key and grants for Windows, Linux, macOS, or Unix:

aws kms list-keys --region your-region   
aws kms list-grants --region your-region --key-id your-AWS KMS-key-ID

Run the following command to query all your AWS KMS keys for a specific Region for Linux, macOS, or Unix:

for key in $(aws kms list-keys --region your-region --query 'Keys[].KeyId' --output text);do aws kms list-grants --region your-region --key-id $key; done

Note: The preceding example uses the built-in AWS CLI --query option to filter elements from the output.

Run the following command to list the number of grants each principal has for an AWS KMS key for Linux, macOS, or Unix:

aws kms list-grants --region your-region --key-id your-AWS KMS-key-ID | jq '.Grants[].GranteePrincipal' -r | sort | uniq -c;

Note: You must have jq installed to run the preceding command. For instructions to install jq, see JSON output format.

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago