Determining access to Amazon KMS keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Determining access to Amazon KMS keys

To determine the full extent of who or what currently has access to an Amazon KMS key, you must examine the key policy of the KMS key, all grants that apply to the KMS key, and potentially all Amazon Identity and Access Management (IAM) policies. You might do this to determine the scope of potential usage of a KMS key, or to help you meet compliance or auditing requirements. The following topics can help you generate a complete list of the Amazon principals (identities) that currently have access to a KMS key.