Table: aws_acmpca_certificate_authority - Query AWS ACM PCA Certificate Authorities using SQL
The aws_acmpca_certificate_authority
table provides detailed information about AWS Certificate Manager Private Certificate Authority (ACM PCA) certificate authorities. These entities enable you to securely issue and manage your private certificates. This table allows for querying configurations, statuses, key storage standards, and more for each certificate authority within your AWS account.
Table Usage Guide
This table can be utilized to monitor the configuration and operational health of your private certificate authorities managed through AWS ACM PCA. It enables security analysts, compliance auditors, and cloud administrators to assess the certificate authorities' compliance with policies, investigate issuance metadata, and understand the security standards being applied.
Examples
Basic information
Retrieve basic details about your ACM PCA Certificate Authorities.
select arn, status, created_at, not_before, not_after, key_storage_security_standard, failure_reasonfrom aws_acmpca_certificate_authority;
select arn, status, datetime(created_at) AS created_at, datetime(not_before) AS not_before, datetime(not_after) AS not_after, key_storage_security_standard, failure_reasonfrom aws_acmpca_certificate_authority;
Certificate authorities with specific key storage security standards
List certificate authorities that comply with a specific key storage security standard.
select arn, status, key_storage_security_standardfrom aws_acmpca_certificate_authoritywhere key_storage_security_standard = 'FIPS_140_2_LEVEL_3_OR_HIGHER';
select arn, status, key_storage_security_standardfrom aws_acmpca_certificate_authoritywhere key_storage_security_standard = 'FIPS_140_2_LEVEL_3_OR_HIGHER';
Certificate authorities by status
Find certificate authorities by their operational status, e.g., ACTIVE
, DISABLED
.
select arn, status, created_at, last_state_change_atfrom aws_acmpca_certificate_authoritywhere status = 'ACTIVE';
select arn, status, datetime(created_at) AS created_at, datetime(last_state_change_at) AS last_state_change_atfrom aws_acmpca_certificate_authoritywhere status = 'ACTIVE';
Tagged Certificate Authorities
Identify certificate authorities tagged with specific key-value pairs for organizational purposes.
select arn, tagsfrom aws_acmpca_certificate_authoritywhere (tags ->> 'Project') = 'MyProject';
select arn, json_extract(tags, '$.Project') AS project_tagfrom aws_acmpca_certificate_authoritywhere project_tag = 'MyProject';
Schema for aws_acmpca_certificate_authority
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
arn | text | = | Amazon Resource Name (ARN) for your private certificate authority (CA). The format is 12345678-1234-1234-1234-123456789012. |
certificate_authority_configuration | jsonb | Your private CA configuration. | |
created_at | timestamp with time zone | Date and time at which your private CA was created. | |
failure_reason | text | Reason the request to create your private CA failed. | |
key_storage_security_standard | text | Defines a cryptographic key management compliance standard used for handling CA keys. Default: FIPS_140_2_LEVEL_3_OR_HIGHER Note: Amazon Web Services Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly specify this parameter and value when creating a CA in that Region. Specifying a different value (or no value) results in an InvalidArgsException with the message 'A certificate authority cannot be created in this region with the specified security standard.' | |
last_state_change_at | timestamp with time zone | Date and time at which your private CA was last updated. | |
not_after | timestamp with time zone | Date and time after which your private CA certificate is not valid. | |
not_before | timestamp with time zone | Date and time before which your private CA certificate is not valid. | |
owner_account | text | The Amazon Web Services account ID that owns the certificate authority. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
restorable_until | timestamp with time zone | The period during which a deleted CA can be restored. For more information, see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest action. | |
revocation_configuration | jsonb | Information about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA. | |
serial | text | Serial number of your private CA. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | Status of your private CA. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags associated with private certificate authority (CA). | |
title | text | Title of the resource. | |
type | text | Type of your private CA. | |
usage_mode | text | Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. The default value is GENERAL_PURPOSE. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_acmpca_certificate_authority