Is there a way to get the KMS service to identify and list all keys that are currently in use? I imagine there are use cases where "in use" can be known – such as integrated use cases on the AWS platform, as well as use cases whee "in use" can’t be known, such as ad hoc key use to encrypt a single file on a filesystem. I am wondering if there is a way to get KMS to say which keys it knows are in use in order to have higher confidence when looking to delete a key? I know you can have cloudwatch logf when a key is used, but that is not what I am looking for; I am looking for some kind of "registered" status of a key in use. It seems this would be necessary to effectively rotate keys, if re-encryption is needed as part of the key rotation process, which I am not clear that it is. Thanks!