KMS key last rotated timestamp


How to I get the KMS key last rotated time stamp using CLI

1 Answer
Accepted Answer

I didn't think you could check the rotated timestamps in the AWS CLI.

I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.

How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here.

With AWS CLI, it would look like this.

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
profile picture
answered 8 days ago
  • The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?

  • If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.

    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey AttributeKey=ResourceName,AttributeValue=arn:aws:kms:region:AWS Account ID:key/Key ID

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions