Table: alicloud_kms_key - Query Alibaba Cloud Key Management Service Keys using SQL

Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage cryptographic keys used to secure your data. It provides centralized management of cryptographic keys, and offers a range of features including key rotation, key version management, and audit trails for key usage. KMS is integrated with other Alibaba Cloud services to help protect the data you store in these services and control the keys that decrypt it.

Table Usage Guide

The alicloud_kms_key table provides insights into cryptographic keys within Alibaba Cloud Key Management Service (KMS). As a security engineer, you can explore key-specific details through this table, including key state, key spec, and associated metadata. Utilize it to uncover information about keys, such as their creation time, description, and the key material expiration status.

Examples

Basic info

Explore which encryption keys in your Alicloud account are currently in use and where. This query can help you manage your keys effectively by providing information about their state, creation date, and the region they are located in.

select
  key_id,
  arn,
  key_state,
  description,
  creation_date,
  region
from
  alicloud_kms_key;

select
  key_id,
  arn,
  key_state,
  description,
  creation_date,
  region
from
  alicloud_kms_key;

List keys scheduled for deletion

Discover the segments that are marked for deletion in the near future. This is useful for preemptively managing resources and ensuring system integrity by preventing unexpected loss of access to important keys.

select
  key_id,
  key_state,
  delete_date
from
  alicloud_kms_key
where
  key_state = 'PendingDeletion';

select
  key_id,
  key_state,
  delete_date
from
  alicloud_kms_key
where
  key_state = 'PendingDeletion';

List keys that have automatic key rotation suspended

Explore which encryption keys have had their automatic rotation feature suspended. This is useful for maintaining security standards, as keys that are not regularly rotated may pose a risk.

select
  key_id,
  automatic_rotation
from
  alicloud_kms_key
where
  automatic_rotation = 'Suspended';

select
  key_id,
  automatic_rotation
from
  alicloud_kms_key
where
  automatic_rotation = 'Suspended';

Get the key alias info for each key

Determine the alias details for each encryption key to manage and track your keys effectively. This helps in identifying and organizing your keys while maintaining security standards.

select
  alias ->> 'KeyId' as key_id,
  alias ->> 'AliasArn' as alias_arn,
  alias ->> 'AliasName' as alias_name
from
  alicloud_kms_key,
  jsonb_array_elements(key_aliases) as alias;

select
  json_extract(alias.value, '$.KeyId') as key_id,
  json_extract(alias.value, '$.AliasArn') as alias_arn,
  json_extract(alias.value, '$.AliasName') as alias_name
from
  alicloud_kms_key,
  json_each(key_aliases) as alias;

Count of keys per region

Example 1: "Count of keys per region" Explore which regions have the most keys in your AliCloud Key Management Service. This can help you understand the distribution of your keys and identify regions with a high concentration of keys.

Example 2: "List keys that have deletion protection disabled" Identify instances where keys in your AliCloud Key Management Service have deletion protection disabled. This can be useful in maintaining security standards and avoiding accidental data loss.

select
  region,
  count(*)
from
  alicloud_kms_key
group by
  region;

select
  region,
  count(*)
from
  alicloud_kms_key
group by
  region;

List keys that have deletion protection disabled

select
  key_id,
  key_state,
  description,
  creation_date
from
  alicloud_kms_key
where
  deletion_protection = 'Disabled';

select
  key_id,
  key_state,
  description,
  creation_date
from
  alicloud_kms_key
where
  deletion_protection = 'Disabled';

Query examples

Control examples

Schema for alicloud_kms_key

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
account_id	text		The Alicloud Account ID in which the resource is located.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
arn	text		The Alibaba Cloud Resource Name (ARN) of the CMK.
automatic_rotation	text		Indicates whether automatic key rotation is enabled.
creation_date	timestamp with time zone		The date and time the CMK was created.
creator	text		The creator of the CMK.
delete_date	timestamp with time zone		The date and time the CMK is scheduled for deletion.
deletion_protection	text		Indicates whether deletion protection is enabled.
description	text		The description of the CMK.
key_aliases	jsonb		A list of aliases bound to a CMK.
key_id	text	=	The globally unique ID of the CMK.
key_spec	text	=	The type of the CMK.
key_state	text	=	The status of the CMK.
key_usage	text	=	The purpose of the CMK.
last_rotation_date	timestamp with time zone		The date and time the last rotation was performed.
material_expire_time	timestamp with time zone		The time and date the key material for the CMK expires.
origin	text		The source of the key material for the CMK.
primary_key_version	text		The ID of the current primary key version of the symmetric CMK.
protection_level	text	=	The protection level of the CMK.
region	text		The Alicloud region in which the resource is located.
tags	jsonb		A map of tags for the resource.
tags_src	jsonb		A list of tags assigned to the key.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_kms_key