kms-cheat-sheet.md

KMS Cheat Sheet

Links

The Complete Guide to AWS KMS

AWS KMS whitepaper

Logging KMS events with CloudTrail

KMS Encryption Context

Protect API Calls with MFA

Useful Commands

Check a key type:

aws kms describe-key --key-id <key-id> --region <region> | jq '.KeyMetadata.KeyManager'

Get a key policy:

aws kms get-key-policy --key-id <key-id> --policy-name default --region <region> --output text | jq '.'

Check if the key policy allows IAM permissions:

aws kms get-key-policy --key-id <key-id> --policy-name default --region <region> --output text | jq '.Statement[] | select(.Sid=="Enable IAM User Permissions")'

Update a key policy:

aws kms put-key-policy --policy-name default --key-id <key-id> --region <region> --policy file://policy.json

List grants for a key:

aws kms list-grants --key-id <key-id> --region <region>

Create a grant for a key:

aws kms create-grant --key-id <key-id> --grantee-principal <> --operations "" "" --region <region>

Retire a grant:

aws kms retire-grant --key-id <key-arn> --grant-id <grant-id> --region <region>

Enable key automatic rotation:

aws kms enable-key-rotation --key-id <key-id> --region <region>