Table: alicloud_kms_key - Query Alibaba Cloud Key Management Service Keys using SQL
Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage cryptographic keys used to secure your data. It provides centralized management of cryptographic keys, and offers a range of features including key rotation, key version management, and audit trails for key usage. KMS is integrated with other Alibaba Cloud services to help protect the data you store in these services and control the keys that decrypt it.
Table Usage Guide
The alicloud_kms_key table provides insights into cryptographic keys within Alibaba Cloud Key Management Service (KMS). As a security engineer, you can explore key-specific details through this table, including key state, key spec, and associated metadata. Utilize it to uncover information about keys, such as their creation time, description, and the key material expiration status.
Examples
Basic info
Explore which encryption keys in your Alicloud account are currently in use and where. This query can help you manage your keys effectively by providing information about their state, creation date, and the region they are located in.
select key_id, arn, key_state, description, creation_date, regionfrom alicloud_kms_key;select key_id, arn, key_state, description, creation_date, regionfrom alicloud_kms_key;List keys scheduled for deletion
Discover the segments that are marked for deletion in the near future. This is useful for preemptively managing resources and ensuring system integrity by preventing unexpected loss of access to important keys.
select key_id, key_state, delete_datefrom alicloud_kms_keywhere key_state = 'PendingDeletion';select key_id, key_state, delete_datefrom alicloud_kms_keywhere key_state = 'PendingDeletion';List keys that have automatic key rotation suspended
Explore which encryption keys have had their automatic rotation feature suspended. This is useful for maintaining security standards, as keys that are not regularly rotated may pose a risk.
select key_id, automatic_rotationfrom alicloud_kms_keywhere automatic_rotation = 'Suspended';select key_id, automatic_rotationfrom alicloud_kms_keywhere automatic_rotation = 'Suspended';Get the key alias info for each key
Determine the alias details for each encryption key to manage and track your keys effectively. This helps in identifying and organizing your keys while maintaining security standards.
select alias ->> 'KeyId' as key_id, alias ->> 'AliasArn' as alias_arn, alias ->> 'AliasName' as alias_namefrom alicloud_kms_key, jsonb_array_elements(key_aliases) as alias;select json_extract(alias.value, '$.KeyId') as key_id, json_extract(alias.value, '$.AliasArn') as alias_arn, json_extract(alias.value, '$.AliasName') as alias_namefrom alicloud_kms_key, json_each(key_aliases) as alias;Count of keys per region
Example 1: "Count of keys per region" Explore which regions have the most keys in your AliCloud Key Management Service. This can help you understand the distribution of your keys and identify regions with a high concentration of keys.
Example 2: "List keys that have deletion protection disabled" Identify instances where keys in your AliCloud Key Management Service have deletion protection disabled. This can be useful in maintaining security standards and avoiding accidental data loss.
select region, count(*)from alicloud_kms_keygroup by region;select region, count(*)from alicloud_kms_keygroup by region;List keys that have deletion protection disabled
select key_id, key_state, description, creation_datefrom alicloud_kms_keywhere deletion_protection = 'Disabled';select key_id, key_state, description, creation_datefrom alicloud_kms_keywhere deletion_protection = 'Disabled';Query examples
- ecs_disks_for_kms_key
- ecs_snapshots_for_kms_key
- hsm_based_keys
- kms_cmk_lifecycle_table
- kms_cmk_pending_deletion_count
- kms_cmk_rotation_disabled_count
- kms_deletion_protection
- kms_deletion_protection_disabled_count
- kms_key_1_year_count
- kms_key_24_hours_count
- kms_key_30_90_days_count
- kms_key_30_days_count
- kms_key_90_365_days_count
- kms_key_age
- kms_key_age_table
- kms_key_aliases
- kms_key_by_account
- kms_key_by_creation_month
- kms_key_by_protection_level
- kms_key_by_region
- kms_key_by_state
- kms_key_count
- kms_key_disabled_count
- kms_key_input
- kms_key_origin
- kms_key_overview
- kms_key_rds_instances
- kms_key_rotation_disabled_count
- kms_key_rotation_enabled
- kms_key_state
- kms_key_tags
- kms_keys_for_ecs_disk
- kms_keys_for_ecs_snapshot
- kms_keys_for_oss_bucket
- kms_protection_level
- kms_secrets_for_kms_key
- oss_bucket_encrypted_with_byok_count
- oss_bucket_encrypted_with_servcie_key_count
- oss_buckets_for_kms_key
Control examples
Schema for alicloud_kms_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Alicloud Account ID in which the resource is located. |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| arn | text | The Alibaba Cloud Resource Name (ARN) of the CMK. | |
| automatic_rotation | text | Indicates whether automatic key rotation is enabled. | |
| creation_date | timestamp with time zone | The date and time the CMK was created. | |
| creator | text | The creator of the CMK. | |
| delete_date | timestamp with time zone | The date and time the CMK is scheduled for deletion. | |
| deletion_protection | text | Indicates whether deletion protection is enabled. | |
| description | text | The description of the CMK. | |
| key_aliases | jsonb | A list of aliases bound to a CMK. | |
| key_id | text | = | The globally unique ID of the CMK. |
| key_spec | text | = | The type of the CMK. |
| key_state | text | = | The status of the CMK. |
| key_usage | text | = | The purpose of the CMK. |
| last_rotation_date | timestamp with time zone | The date and time the last rotation was performed. | |
| material_expire_time | timestamp with time zone | The time and date the key material for the CMK expires. | |
| origin | text | The source of the key material for the CMK. | |
| primary_key_version | text | The ID of the current primary key version of the symmetric CMK. | |
| protection_level | text | = | The protection level of the CMK. |
| region | text | The Alicloud region in which the resource is located. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tags_src | jsonb | A list of tags assigned to the key. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloudYou can pass the configuration to the command with the --config argument:
steampipe_export_alicloud --config '<your_config>' alicloud_kms_key