I want to list AWS KMS key grants and principals for my AWS Key Management Service (AWS KMS) accounts by AWS Region.
Resolution
Use the AWS Command Line Interface (AWS CLI) or AWS SDKs to retrieve the number of grants and principals an AWS KMS key has. Make sure that you have permissions to run the list-keys and list-grants AWS CLI commands.
Note:
- If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
- In the following commands, replace your-region with your Region and your-AWS KMS-key-ID with your AWS KMS key ID.
Run the following commands to list your AWS KMS key and grants for Windows, Linux, macOS, or Unix:
aws kms list-keys --region your-region aws kms list-grants --region your-region --key-id your-AWS KMS-key-ID
Run the following command to query all your AWS KMS keys for a specific Region for Linux, macOS, or Unix:
for key in $(aws kms list-keys --region your-region --query 'Keys[].KeyId' --output text);do aws kms list-grants --region your-region --key-id $key; done
Note: The preceding example uses the built-in AWS CLI --query option to filter elements from the output.
Run the following command to list the number of grants each principal has for an AWS KMS key for Linux, macOS, or Unix:
aws kms list-grants --region your-region --key-id your-AWS KMS-key-ID | jq '.Grants[].GranteePrincipal' -r | sort | uniq -c;
Note: You must have jq installed to run the preceding command. For instructions to install jq, see JSON output format.