Determining past usage of a KMS key - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Determining past usage of a KMS key

Before deleting a KMS key, you might want to know how many ciphertexts were encrypted under that key. Amazon KMS does not store this information, and does not store any of the ciphertexts. Knowing how a KMS key was used in the past might help you decide whether or not you will need it in the future. This topic suggest several strategies that can help you determine the past usage of a KMS key.


These strategies for determining past and actual usage are effective only for Amazon users and Amazon KMS operations. They cannot detect use of the public key of an asymmetric KMS key outside of Amazon KMS. For details about the special risks of deleting asymmetric KMS keys used for public key cryptography, including creating ciphertexts that cannot be decrypted, see Deleting asymmetric KMS keys.

Examining KMS key permissions to determine the scope of potential usage

Determining who or what currently has access to a KMS key might help you determine how widely the KMS key was used and whether it is still needed. To learn how to determine who or what currently has access to a KMS key, go to Determining access to Amazon KMS keys.

Examining Amazon CloudTrail logs to determine actual usage

You might be able to use a KMS key usage history to help you determine whether you have ciphertexts encrypted under a particular KMS key.

All Amazon KMS API activity is recorded in Amazon CloudTrail log files. If you have created a CloudTrail trail in the region where your KMS key is located, you can examine your CloudTrail log files to view a history of all Amazon KMS API activity for a particular KMS key. If you don't have a trail, you can still view recent events in your CloudTrail event history. For details about how Amazon KMS uses CloudTrail, see Logging Amazon KMS API calls with Amazon CloudTrail.

The following examples show CloudTrail log entries that are generated when a KMS key is used to protect an object stored in Amazon Simple Storage Service (Amazon S3). In this example, the object is uploaded to Amazon S3 using Protecting data using server-side encryption with KMS keys (SSE-KMS). When you upload an object to Amazon S3 with SSE-KMS, you specify the KMS key to use for protecting the object. Amazon S3 uses the Amazon KMS GenerateDataKey operation to request a unique data key for the object, and this request event is logged in CloudTrail with an entry similar to the following:

{ "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROACKCEVSQ6C2EXAMPLE:example-user", "arn": "arn:aws:sts::111122223333:assumed-role/Admins/example-user", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-09-10T23:12:48Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admins", "accountId": "111122223333", "userName": "Admins" } }, "invokedBy": "" }, "eventTime": "2015-09-10T23:58:18Z", "eventSource": "", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "", "requestParameters": { "encryptionContext": {"aws:s3:arn": "arn:aws:s3:::example_bucket/example_object"}, "keySpec": "AES_256", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" }, "responseElements": null, "requestID": "cea04450-5817-11e5-85aa-97ce46071236", "eventID": "80721262-21a5-49b9-8b63-28740e7ce9c9", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

When you later download this object from Amazon S3, Amazon S3 sends a Decrypt request to Amazon KMS to decrypt the object's data key using the specified KMS key. When you do this, your CloudTrail log files include an entry similar to the following:

{ "eventVersion": "1.02", "userIdentity": { "type": "AssumedRole", "principalId": "AROACKCEVSQ6C2EXAMPLE:example-user", "arn": "arn:aws:sts::111122223333:assumed-role/Admins/example-user", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "attributes": { "mfaAuthenticated": "false", "creationDate": "2015-09-10T23:12:48Z" }, "sessionIssuer": { "type": "Role", "principalId": "AROACKCEVSQ6C2EXAMPLE", "arn": "arn:aws:iam::111122223333:role/Admins", "accountId": "111122223333", "userName": "Admins" } }, "invokedBy": "" }, "eventTime": "2015-09-10T23:58:39Z", "eventSource": "", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "", "requestParameters": { "encryptionContext": {"aws:s3:arn": "arn:aws:s3:::example_bucket/example_object"}}, "responseElements": null, "requestID": "db750745-5817-11e5-93a6-5b87e27d91a0", "eventID": "ae551b19-8a09-4cfc-a249-205ddba330e3", "readOnly": true, "resources": [{ "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "accountId": "111122223333" }], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

All Amazon KMS API activity is logged by CloudTrail. By evaluating these log entries, you might be able to determine the past usage of a particular KMS key, and this might help you determine whether or not you want to delete it.

To see more examples of how Amazon KMS API activity appears in your CloudTrail log files, go to Logging Amazon KMS API calls with Amazon CloudTrail. For more information about CloudTrail go to the Amazon CloudTrail User Guide.