turbot/alicloud
steampipe plugin install alicloud

Table: alicloud_kms_key - Query Alibaba Cloud Key Management Service Keys using SQL

Alibaba Cloud Key Management Service (KMS) is a secure and easy-to-use service to create, control, and manage cryptographic keys used to secure your data. It provides centralized management of cryptographic keys, and offers a range of features including key rotation, key version management, and audit trails for key usage. KMS is integrated with other Alibaba Cloud services to help protect the data you store in these services and control the keys that decrypt it.

Table Usage Guide

The alicloud_kms_key table provides insights into cryptographic keys within Alibaba Cloud Key Management Service (KMS). As a security engineer, you can explore key-specific details through this table, including key state, key spec, and associated metadata. Utilize it to uncover information about keys, such as their creation time, description, and the key material expiration status.

Examples

Basic info

Explore which encryption keys in your Alicloud account are currently in use and where. This query can help you manage your keys effectively by providing information about their state, creation date, and the region they are located in.

select
key_id,
arn,
key_state,
description,
creation_date,
region
from
alicloud_kms_key;
select
key_id,
arn,
key_state,
description,
creation_date,
region
from
alicloud_kms_key;

List keys scheduled for deletion

Discover the segments that are marked for deletion in the near future. This is useful for preemptively managing resources and ensuring system integrity by preventing unexpected loss of access to important keys.

select
key_id,
key_state,
delete_date
from
alicloud_kms_key
where
key_state = 'PendingDeletion';
select
key_id,
key_state,
delete_date
from
alicloud_kms_key
where
key_state = 'PendingDeletion';

List keys that have automatic key rotation suspended

Explore which encryption keys have had their automatic rotation feature suspended. This is useful for maintaining security standards, as keys that are not regularly rotated may pose a risk.

select
key_id,
automatic_rotation
from
alicloud_kms_key
where
automatic_rotation = 'Suspended';
select
key_id,
automatic_rotation
from
alicloud_kms_key
where
automatic_rotation = 'Suspended';

Get the key alias info for each key

Determine the alias details for each encryption key to manage and track your keys effectively. This helps in identifying and organizing your keys while maintaining security standards.

select
alias ->> 'KeyId' as key_id,
alias ->> 'AliasArn' as alias_arn,
alias ->> 'AliasName' as alias_name
from
alicloud_kms_key,
jsonb_array_elements(key_aliases) as alias;
select
json_extract(alias.value, '$.KeyId') as key_id,
json_extract(alias.value, '$.AliasArn') as alias_arn,
json_extract(alias.value, '$.AliasName') as alias_name
from
alicloud_kms_key,
json_each(key_aliases) as alias;

Count of keys per region

Example 1: "Count of keys per region" Explore which regions have the most keys in your AliCloud Key Management Service. This can help you understand the distribution of your keys and identify regions with a high concentration of keys.

Example 2: "List keys that have deletion protection disabled" Identify instances where keys in your AliCloud Key Management Service have deletion protection disabled. This can be useful in maintaining security standards and avoiding accidental data loss.

select
region,
count(*)
from
alicloud_kms_key
group by
region;
select
region,
count(*)
from
alicloud_kms_key
group by
region;

List keys that have deletion protection disabled

select
key_id,
key_state,
description,
creation_date
from
alicloud_kms_key
where
deletion_protection = 'Disabled';
select
key_id,
key_state,
description,
creation_date
from
alicloud_kms_key
where
deletion_protection = 'Disabled';

Schema for alicloud_kms_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The Alicloud Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntextThe Alibaba Cloud Resource Name (ARN) of the CMK.
automatic_rotationtextIndicates whether automatic key rotation is enabled.
creation_datetimestamp with time zoneThe date and time the CMK was created.
creatortextThe creator of the CMK.
delete_datetimestamp with time zoneThe date and time the CMK is scheduled for deletion.
deletion_protectiontextIndicates whether deletion protection is enabled.
descriptiontextThe description of the CMK.
key_aliasesjsonbA list of aliases bound to a CMK.
key_idtext=The globally unique ID of the CMK.
key_spectext=The type of the CMK.
key_statetext=The status of the CMK.
key_usagetext=The purpose of the CMK.
last_rotation_datetimestamp with time zoneThe date and time the last rotation was performed.
material_expire_timetimestamp with time zoneThe time and date the key material for the CMK expires.
origintextThe source of the key material for the CMK.
primary_key_versiontextThe ID of the current primary key version of the symmetric CMK.
protection_leveltext=The protection level of the CMK.
regiontextThe Alicloud region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags assigned to the key.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- alicloud

You can pass the configuration to the command with the --config argument:

steampipe_export_alicloud --config '<your_config>' alicloud_kms_key