Check External Key Management Service Key Status

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 3분

    • View the status of your Amazon Web Services Key Management System (AWS KMS) key in your instance.

    시작하기 전에

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Verify that you have:

    이 태스크 정보

    You can check your AWS KMS key status at any time to verify its current state. Common scenarios for checking key status include resolving encryption failures, security audits, verifying synchronization after changes in AWS, or confirming your configuration before making updates.

    프로시저

    1. Navigate to All > System Security > Field Encryption > EKMS Configuration.
    2. Open your EKMS configuration record.
    3. Locate the External Key Status field.

      The status field displays one of the following values:

      • Enabled- Key is active and can be used for all encryption and decryption operations.
      • Disabled- Key can't be used for encryption or decryption until re-enabled in AWS.
      • Pending deletion- Key is scheduled for deletion and can't be used.
      • Deleted- Key has been permanently deleted and can't be recovered.
    4. Note the status and the last synchronization time.
      The synchronization timestamp shows when the status was last updated from AWS.
    5. If the status doesn't match what you expect, manually synchronize the key status.
      The automatic synchronization job runs every 30 minutes. For immediate updates, trigger manual synchronization. See Manually synchronize External Key Management Service key status.

    결과

    You have verified your current AWS KMS key status. You can take appropriate action based on the status.

    다음에 수행할 작업

    Based on the key status you see:

    • Enabled- No action required. Your key is operational.
    • Disabled- If this status is unexpected, check AWS KMS to determine why the key was disabled. This will trigger banner messages and a high-priority security task alerting you to the disabled key.
    • Pending deletion- If you must keep the key, cancel the scheduled deletion in AWS immediately. You have 7 to 30 days before permanent deletion.
    • Deleted- The key is permanently deleted. Data encrypted with this key can't be recovered. You must configure a new EKMS key.
    중요사항:
    If your key is disabled or pending deletion, you must re-enable the key to create or update records in tables with encrypted field configurations.