Find KMS keys and key material in an Amazon CloudHSM key store
If you manage an Amazon CloudHSM key store, you might need to identify the KMS keys in each Amazon CloudHSM key store. For example, you might need to do some of the following tasks.
-
Track the KMS keys in Amazon CloudHSM key store in Amazon CloudTrail logs.
-
Predict the effect on KMS keys of disconnecting an Amazon CloudHSM key store.
-
Schedule deletion of KMS keys before you delete an Amazon CloudHSM key store.
In addition, you might want to identify the keys in your Amazon CloudHSM cluster that serve as key material for your KMS keys. Although Amazon KMS manages the KMS keys and the key material, you still retain control of and responsibility for the management of your Amazon CloudHSM cluster, as well as the HSMs and backups and the keys in the HSMs. You might need to identify the keys in order to audit the key material, protect it from accidental deletion, or delete it from HSMs and cluster backups after deleting the KMS key.
All key material for the KMS keys in your Amazon CloudHSM key store is owned by the kmsuser crypto user (CU). Amazon KMS sets the key label attribute, which is viewable only in Amazon CloudHSM, to the Amazon Resource Name (ARN) of the KMS key.
To find KMS keys and key material, use any of the following techniques.
-
Find the KMS keys in an Amazon CloudHSM key store — How to identify the KMS keys in one or all of your Amazon CloudHSM key stores.
-
Find all keys for an Amazon CloudHSM key store — How to find all keys in your cluster that serve as key material for the KMS keys in your Amazon CloudHSM key store.
-
Find the Amazon CloudHSM key for a KMS key — How to find the key in your cluster that serves as key material for a particular KMS key in your Amazon CloudHSM key store.
-
Find the KMS key for an Amazon CloudHSM key — How to find the KMS key for a particular key in your cluster.