Viewing KMS keys in an Amazon CloudHSM key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Viewing KMS keys in an Amazon CloudHSM key store

To view the Amazon KMS keys in an Amazon CloudHSM key store, use the same techniques that you would use to view any Amazon KMS customer managed keys. To learn the basics, see Viewing keys. To identify the keys in your Amazon CloudHSM cluster that serve as key material for your KMS key, see Finding KMS keys and key material. For information about viewing the Amazon CloudTrail logs that record all API operations on a custom key store, see Logging Amazon KMS API calls with Amazon CloudTrail.

In the Amazon KMS console, the KMS keys in your custom key store are displayed on the Customer managed keys page, along with all other customer managed keys in your Amazon Web Services account and Region.

However, the following values are specific to KMS keys in an Amazon CloudHSM key store.

  • The name and ID of the Amazon CloudHSM key store that stores the KMS key.

  • The cluster ID of the associated Amazon CloudHSM cluster that contains their key material.

  • An Origin value of Amazon CloudHSM in the Amazon KMS console or AWS_CLOUDHSM in API responses.

  • The key state value can be Unavailable. For help resolving the status, see How to fix unavailable KMS keys.

To view the KMS keys in an Amazon CloudHSM key store (Console)

  1. Open the Amazon KMS console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Customer managed keys.

  4. In the upper-right corner, choose the gear icon, choose Custom key store ID and Origin, then choose Confirm.

  5. To identify KMS keys in any Amazon CloudHSM key store, look for KMS keys with an Origin value of Amazon CloudHSM. To identify KMS keys in a particular Amazon CloudHSM key store, view the values in the Custom key store ID column.

  6. Choose the alias or key ID of a KMS key in an Amazon CloudHSM key store.

    This page displays detailed information about the KMS key, including its Amazon Resource Name (ARN), key policy, and tags.

  7. Choose the Cryptographic configuration tab. The tabs are below the General configuration section.

    This section includes information about the Amazon CloudHSM key store and Amazon CloudHSM cluster associated with the KMS key.s

To view the KMS keys in a custom key store (API)

You use the same Amazon KMS API operations to view the KMS keys in an Amazon CloudHSM key store that you would use for any KMS key, including ListKeys, DescribeKey, and GetKeyPolicy. For example, the following describe-key operation in the Amazon CLI shows the special fields for a KMS key in an Amazon CloudHSM key store. Before running a command like this one, replace the example KMS key ID with a valid value.

$ aws kms describe-key --key-id 1234abcd-12ab-34cd-56ef-1234567890ab { "KeyMetadata": { "Arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "AWSAccountId": "111122223333", "CloudHsmClusterId": "cluster-1a23b4cdefg", "CreationDate": 1537582718.431, "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT", "CustomKeyStoreId": "cks-1234567890abcdef0", "Description": "Key in custom key store", "Enabled": true, "EncryptionAlgorithms": [ "SYMMETRIC_DEFAULT" ], "KeyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "KeyManager": "CUSTOMER", "KeySpec": "SYMMETRIC_DEFAULT", "KeyState": "Enabled", "KeyUsage": "ENCRYPT_DECRYPT", "MultiRegion": false, "Origin": "AWS_CLOUDHSM" } }

For help finding the KMS keys in an Amazon CloudHSM key store or identifying the keys in your Amazon CloudHSM cluster that serve as key material for your KMS key, see Finding KMS keys and key material.