Check External Key Management Service Key Status

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 1 minute de lecture

    • View the status of your Amazon Web Services Key Management System (AWS KMS) key in your instance.

    Avant de commencer

    Roles required: admin, security_admin, and sn_kmf.cryptographic_manager

    Verify that you have:

    Pourquoi et quand exécuter cette tâche

    You can check your AWS KMS key status at any time to verify its current state. Common scenarios for checking key status include resolving encryption failures, security audits, verifying synchronization after changes in AWS, or confirming your configuration before making updates.

    Procédure

    1. Navigate to All > System Security > Field Encryption > EKMS Configuration.
    2. Open your EKMS configuration record.
    3. Locate the External Key Status field.

      The status field displays one of the following values:

      • Enabled- Key is active and can be used for all encryption and decryption operations.
      • Disabled- Key can't be used for encryption or decryption until re-enabled in AWS.
      • Pending deletion- Key is scheduled for deletion and can't be used.
      • Deleted- Key has been permanently deleted and can't be recovered.
    4. Note the status and the last synchronization time.
      The synchronization timestamp shows when the status was last updated from AWS.
    5. If the status doesn't match what you expect, manually synchronize the key status.
      The automatic synchronization job runs every 30 minutes. For immediate updates, trigger manual synchronization. See Manually synchronize External Key Management Service key status.

    Résultats

    You have verified your current AWS KMS key status. You can take appropriate action based on the status.

    Que faire ensuite

    Based on the key status you see:

    • Enabled- No action required. Your key is operational.
    • Disabled- If this status is unexpected, check AWS KMS to determine why the key was disabled. This will trigger banner messages and a high-priority security task alerting you to the disabled key.
    • Pending deletion- If you must keep the key, cancel the scheduled deletion in AWS immediately. You have 7 to 30 days before permanent deletion.
    • Deleted- The key is permanently deleted. Data encrypted with this key can't be recovered. You must configure a new EKMS key.
    Important :
    If your key is disabled or pending deletion, you must re-enable the key to create or update records in tables with encrypted field configurations.