Viewing the cryptographic configuration of KMS keys - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Viewing the cryptographic configuration of KMS keys

After you create your KMS key, you can view its cryptographic configuration. You cannot change the configuration of a KMS key after it is created. If you prefer a different configuration, delete the KMS key and create it again.

You can find the cryptographic configuration of your KMS keys, include the key spec, key usage, and supported encryption or signing algorithms, in the Amazon KMS console or by using the Amazon KMS API. For details, see Identifying asymmetric KMS keys.

In the Amazon KMS console, the details page for each KMS key includes a Cryptographic configuration tab that displays cryptographic details about your KMS keys. For example, the following image shows the Cryptographic configuration tab for an RSA KMS key used for signing and verification.

The Cryptographic configuration tab for some special purpose KMS keys has additional specialized sections. For example, the Cryptographic configuration tab for a KMS key in a custom key store has a Custom key stores section. The Cryptographic configuration tab for a KMS key in an external key store has an External key section.


        Generate a data key

In the Amazon KMS API, use the DescribeKey operation. The KeyMetadata structure in the response includes the cryptographic configuration of the KMS key. For example, DescribeKey returns the following response for an RSA KMS key used for signing and verification.

{ "KeyMetadata": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CreationDate": 1571767572.317, "CustomerMasterKeySpec": "RSA_2048", "Description": "", "Enabled": true, "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeyState": "Enabled", "MultiRegion": false, "Origin": "AWS_KMS", "KeySpec": "RSA_2048", "KeyUsage": "SIGN_VERIFY", "SigningAlgorithms": [ "RSASSA_PKCS1_V1_5_SHA_256", "RSASSA_PKCS1_V1_5_SHA_384", "RSASSA_PKCS1_V1_5_SHA_512", "RSASSA_PSS_SHA_256", "RSASSA_PSS_SHA_384", "RSASSA_PSS_SHA_512" ] } }