PQLensGuides › Scan AWS KMS & ACM
100% local · nothing leaves your machine

Scan AWS KMS & ACM

Your managed keys and certificates never touch a filesystem, so no file scan will ever find them. PQLens lists KMS keys and ACM certificates read-only, using the AWS credentials you already have — for a PCI-scoped shop, the CMKs are the inventory.

pqlens scan cloud aws --region us-east-1
Free · all ten surfaces · 100% local — nothing about your code, configs or certificates leaves the machine

How it works

  1. Use any AWS credentials that can call kms:ListKeys/DescribeKey and acm:ListCertificates/DescribeCertificate — a read-only role is enough.
  2. Run pqlens scan cloud aws, optionally with --region a,b and --profile NAME.
  3. Every KMS key (customer-managed and AWS-managed) is classified by its key spec; every ACM certificate by its key algorithm and size.
  4. Nothing is modified and no key material is ever accessible — KMS never exports it, and PQLens reads metadata only.

AWS-managed keys are in scope on purpose

An account whose encryption is all AWS-managed keys still has a cryptographic footprint — arguably the most important one. Skipping AWS-managed keys would report a falsely clean inventory for exactly the accounts that rely on them most, so PQLens includes them and says who manages what.

What “read-only, metadata-only” means precisely

The scan calls List/Describe APIs and nothing else: no key creation, no policy reads beyond the key description, no data-plane calls, and no possibility of touching key material (KMS is designed never to release it). What lands in your inventory is key specs, algorithms, states and certificate parameters.

Frequently asked questions

What IAM permissions does the scan need?

Read-only KMS and ACM listing/describing — the standard ReadOnlyAccess policy more than covers it. No write permissions of any kind are used.

Can PQLens see or export my key material?

No — nobody can. KMS never releases key material; the scan reads metadata (key spec, state, manager) and ACM certificate parameters only.

Are AWS-managed (aws/*) keys included?

Yes, deliberately. They are part of your cryptographic footprint, and skipping them would make heavily-managed accounts look falsely clean.

Which cloud providers are supported?

AWS (KMS + ACM) today. Certificates and keys from other environments still enter the inventory via the certificate, keystore, TLS and SBOM surfaces.

Related guides

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.
We never claim “quantum-proof.” Verdicts follow NIST FIPS 203–205 and CNSA 2.0.