diff --git a/app/services/encryption/contextless_kms_client.rb b/app/services/encryption/contextless_kms_client.rb
index 1efb1dc644b..3a8bd8b5a4d 100644
--- a/app/services/encryption/contextless_kms_client.rb
+++ b/app/services/encryption/contextless_kms_client.rb
@@ -17,13 +17,13 @@ class ContextlessKmsClient
     }.freeze
 
     def encrypt(plaintext)
-      KmsLogger.log(:encrypt)
+      KmsLogger.log(:encrypt, key_id: IdentityConfig.store.aws_kms_key_id)
       return encrypt_kms(plaintext) if FeatureManagement.use_kms?
       encrypt_local(plaintext)
     end
 
     def decrypt(ciphertext)
-      KmsLogger.log(:decrypt)
+      KmsLogger.log(:decrypt, key_id: IdentityConfig.store.aws_kms_key_id)
       return decrypt_kms(ciphertext) if use_kms?(ciphertext)
       decrypt_local(ciphertext)
     end
diff --git a/app/services/encryption/kms_client.rb b/app/services/encryption/kms_client.rb
index 3e36aee1597..7d059229373 100644
--- a/app/services/encryption/kms_client.rb
+++ b/app/services/encryption/kms_client.rb
@@ -32,14 +32,14 @@ def initialize(kms_key_id: IdentityConfig.store.aws_kms_key_id)
     end
 
     def encrypt(plaintext, encryption_context)
-      KmsLogger.log(:encrypt, encryption_context)
+      KmsLogger.log(:encrypt, context: encryption_context, key_id: kms_key_id)
       return encrypt_kms(plaintext, encryption_context) if FeatureManagement.use_kms?
       encrypt_local(plaintext, encryption_context)
     end
 
     def decrypt(ciphertext, encryption_context)
       return decrypt_contextless_kms(ciphertext) if self.class.looks_like_contextless?(ciphertext)
-      KmsLogger.log(:decrypt, encryption_context)
+      KmsLogger.log(:decrypt, context: encryption_context, key_id: kms_key_id)
       return decrypt_kms(ciphertext, encryption_context) if use_kms?(ciphertext)
       decrypt_local(ciphertext, encryption_context)
     end
diff --git a/app/services/encryption/kms_logger.rb b/app/services/encryption/kms_logger.rb
index 1dfc538d345..75cd8766fee 100644
--- a/app/services/encryption/kms_logger.rb
+++ b/app/services/encryption/kms_logger.rb
@@ -1,11 +1,12 @@
 module Encryption
   class KmsLogger
     LOG_FILENAME = 'kms.log'
-    def self.log(action, context = nil)
+    def self.log(action, key_id:, context: nil)
       output = {
         kms: {
           action: action,
           encryption_context: context,
+          key_id: key_id,
         },
         log_filename: LOG_FILENAME,
       }
diff --git a/spec/services/encryption/contextless_kms_client_spec.rb b/spec/services/encryption/contextless_kms_client_spec.rb
index 4de95fe3e2f..d2c1e65cc38 100644
--- a/spec/services/encryption/contextless_kms_client_spec.rb
+++ b/spec/services/encryption/contextless_kms_client_spec.rb
@@ -148,7 +148,10 @@
       end
 
       it 'logs the encryption' do
-        expect(Encryption::KmsLogger).to receive(:log).with(:encrypt)
+        expect(Encryption::KmsLogger).to receive(:log).with(
+          :encrypt,
+          key_id: IdentityConfig.store.aws_kms_key_id,
+        )
 
         subject.encrypt(long_kms_plaintext)
       end
@@ -180,7 +183,10 @@
       end
 
       it 'logs the decryption' do
-        expect(Encryption::KmsLogger).to receive(:log).with(:decrypt)
+        expect(Encryption::KmsLogger).to receive(:log).with(
+          :decrypt,
+          key_id: IdentityConfig.store.aws_kms_key_id,
+        )
 
         subject.decrypt('KMSx' + kms_ciphertext)
       end
diff --git a/spec/services/encryption/kms_client_spec.rb b/spec/services/encryption/kms_client_spec.rb
index b2a515b451b..9e9575c2d44 100644
--- a/spec/services/encryption/kms_client_spec.rb
+++ b/spec/services/encryption/kms_client_spec.rb
@@ -111,7 +111,11 @@
     end
 
     it 'logs the context' do
-      expect(Encryption::KmsLogger).to receive(:log).with(:encrypt, encryption_context)
+      expect(Encryption::KmsLogger).to receive(:log).with(
+        :encrypt,
+        context: encryption_context,
+        key_id: subject.kms_key_id,
+      )
 
       subject.encrypt(plaintext, encryption_context)
     end
@@ -163,7 +167,11 @@
     end
 
     it 'logs the context' do
-      expect(Encryption::KmsLogger).to receive(:log).with(:decrypt, encryption_context)
+      expect(Encryption::KmsLogger).to receive(:log).with(
+        :decrypt,
+        context: encryption_context,
+        key_id: subject.kms_key_id,
+      )
       subject.decrypt(kms_ciphertext, encryption_context)
     end
   end
diff --git a/spec/services/encryption/kms_logger_spec.rb b/spec/services/encryption/kms_logger_spec.rb
index fdb4841b292..3036a547fb4 100644
--- a/spec/services/encryption/kms_logger_spec.rb
+++ b/spec/services/encryption/kms_logger_spec.rb
@@ -8,13 +8,18 @@
           kms: {
             action: 'encrypt',
             encryption_context: { context: 'pii-encryption', user_uuid: '1234-abc' },
+            key_id: 'super-duper-aws-kms-key-id',
           },
           log_filename: Encryption::KmsLogger::LOG_FILENAME,
         }.to_json
 
         expect(described_class.logger).to receive(:info).with(log)
 
-        described_class.log(:encrypt, context: 'pii-encryption', user_uuid: '1234-abc')
+        described_class.log(
+          :encrypt,
+          context: { context: 'pii-encryption', user_uuid: '1234-abc' },
+          key_id: 'super-duper-aws-kms-key-id',
+        )
       end
     end
 
@@ -24,13 +29,14 @@
           kms: {
             action: 'decrypt',
             encryption_context: nil,
+            key_id: 'super-duper-aws-kms-key-id',
           },
           log_filename: Encryption::KmsLogger::LOG_FILENAME,
         }.to_json
 
         expect(described_class.logger).to receive(:info).with(log)
 
-        described_class.log(:decrypt)
+        described_class.log(:decrypt, key_id: 'super-duper-aws-kms-key-id')
       end
     end
   end