Query key ID used by an SSM SecureString

[fauxbytes]

Is there a command that will retrieve the key id? The info is available in console, but could not find it through cli.

[uldyssian-sh]

There is no AWS CLI command that can retrieve the KMS key ID used by an SSM SecureString parameter.

This is by design.

For SecureString parameters, SSM stores the KMS key association internally, but the GetParameter / DescribeParameters APIs do not expose the key ID. Even when you use --with-decryption, the response only contains the decrypted value (and basic metadata), not the KMS key reference.

That is why you can see the key in the AWS Console, but not via the CLI or API.

What you can do instead:

If you need to enforce or audit which key is used, manage it at creation time:

aws ssm put-parameter
--name "/path/param"
--type SecureString
--key-id alias/my-kms-key
--value "secret"

If you need visibility for auditing/compliance, use CloudTrail. Parameter creation and updates include the KMS key used in the event record, which is the only API-level source of truth for this information.

Alternatively, enforce usage via IAM policies (for example, require a specific KMS key for ssm:PutParameter).

Summary:

• The KMS key ID for SecureString parameters is not retrievable via AWS CLI
• This is an intentional API limitation
• Use CloudTrail or IAM enforcement if you need to track or control key usage

[uldyssian-sh]

Thanks! If this helps, please consider marking it as “Helpful” or “Accepted” 😊