Steampipe unbundled →
Steampipe Hub 
Hub
Plugins
turbot/aws
Overview
483Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_acmpca_certificate_authority - Query AWS ACM PCA Certificate Authorities using SQL

The aws_acmpca_certificate_authority table provides detailed information about AWS Certificate Manager Private Certificate Authority (ACM PCA) certificate authorities. These entities enable you to securely issue and manage your private certificates. This table allows for querying configurations, statuses, key storage standards, and more for each certificate authority within your AWS account.

Table Usage Guide

This table can be utilized to monitor the configuration and operational health of your private certificate authorities managed through AWS ACM PCA. It enables security analysts, compliance auditors, and cloud administrators to assess the certificate authorities' compliance with policies, investigate issuance metadata, and understand the security standards being applied.

Examples

Basic information

Retrieve basic details about your ACM PCA Certificate Authorities.

select
  arn,
  status,
  created_at,
  not_before,
  not_after,
  key_storage_security_standard,
  failure_reason
from
  aws_acmpca_certificate_authority;
select
  arn,
  status,
  datetime(created_at) AS created_at,
  datetime(not_before) AS not_before,
  datetime(not_after) AS not_after,
  key_storage_security_standard,
  failure_reason
from
  aws_acmpca_certificate_authority;

Certificate authorities with specific key storage security standards

List certificate authorities that comply with a specific key storage security standard.

select
  arn,
  status,
  key_storage_security_standard
from
  aws_acmpca_certificate_authority
where
  key_storage_security_standard = 'FIPS_140_2_LEVEL_3_OR_HIGHER';
select
  arn,
  status,
  key_storage_security_standard
from
  aws_acmpca_certificate_authority
where
  key_storage_security_standard = 'FIPS_140_2_LEVEL_3_OR_HIGHER';

Certificate authorities by status

Find certificate authorities by their operational status, e.g., ACTIVE, DISABLED.

select
  arn,
  status,
  created_at,
  last_state_change_at
from
  aws_acmpca_certificate_authority
where
  status = 'ACTIVE';
select
  arn,
  status,
  datetime(created_at) AS created_at,
  datetime(last_state_change_at) AS last_state_change_at
from
  aws_acmpca_certificate_authority
where
  status = 'ACTIVE';

Tagged Certificate Authorities

Identify certificate authorities tagged with specific key-value pairs for organizational purposes.

select
  arn,
  tags
from
  aws_acmpca_certificate_authority
where
  (tags ->> 'Project') = 'MyProject';
select
  arn,
  json_extract(tags, '$.Project') AS project_tag
from
  aws_acmpca_certificate_authority
where
  project_tag = 'MyProject';

Control examples

Schema for aws_acmpca_certificate_authority

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
arntext=Amazon Resource Name (ARN) for your private certificate authority (CA). The format is 12345678-1234-1234-1234-123456789012.
certificate_authority_configurationjsonbYour private CA configuration.
created_attimestamp with time zoneDate and time at which your private CA was created.
failure_reasontextReason the request to create your private CA failed.
key_storage_security_standardtextDefines a cryptographic key management compliance standard used for handling CA keys. Default: FIPS_140_2_LEVEL_3_OR_HIGHER Note: Amazon Web Services Region ap-northeast-3 supports only FIPS_140_2_LEVEL_2_OR_HIGHER. You must explicitly specify this parameter and value when creating a CA in that Region. Specifying a different value (or no value) results in an InvalidArgsException with the message 'A certificate authority cannot be created in this region with the specified security standard.'
last_state_change_attimestamp with time zoneDate and time at which your private CA was last updated.
not_aftertimestamp with time zoneDate and time after which your private CA certificate is not valid.
not_beforetimestamp with time zoneDate and time before which your private CA certificate is not valid.
owner_accounttextThe Amazon Web Services account ID that owns the certificate authority.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
restorable_untiltimestamp with time zoneThe period during which a deleted CA can be restored. For more information, see the PermanentDeletionTimeInDays parameter of the DeleteCertificateAuthorityRequest action.
revocation_configurationjsonbInformation about the Online Certificate Status Protocol (OCSP) configuration or certificate revocation list (CRL) created and maintained by your private CA.
serialtextSerial number of your private CA.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statustextStatus of your private CA.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags associated with private certificate authority (CA).
titletextTitle of the resource.
typetextType of your private CA.
usage_modetextSpecifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. The default value is GENERAL_PURPOSE.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_acmpca_certificate_authority