Certified Security - Specialty

Sign Up Free or Log In to participate!

Can AWS Config monitor KMS keys?

Around 7:30, it says that Config can be turned on and monitor KMS.

Currently, KMS keys are not a supported resource type in AWS Config, therefore it won’t monitor configuration changes in these resources.

  • AWS Config Supported AWS Resource Types and Resource Relationships


UPDATE: AWS recently added support for KMS keys, so the link above does show KMS keys as a supported resource now.

"You can view the metadata associated with an AWS KMS key and track changes to key policies, tags, and other configuration attributes associated with the AWS KMS key."

  • AWS Config Adds Support for AWS Key Management Service and Amazon Elasticsearch Service


Bradley Anthony

Although Config does not currently monitor KMS keys, you can refer to the following AWS doc, if you wish to monitor your KMS keys and record changes:

1 Answers

There are also some managed rules available:



We are currently using the compliance check for key rotation. The other managed rule for scheduled deletion in combination with compliance change notifications (SNS) will notify you, when someone scheduled a key for deletion.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?