Table: aws_kms_alias - Query AWS Key Management Service (KMS) alias using SQL
The AWS Key Management Service (KMS) alias is a user-friendly identifier for a KMS key. These aliases allow you to simplify cryptographic workflows by referring to a key by a consistent name throughout its lifecycle. KMS aliases can be used to manage cryptographic keys, enabling secure access to services and applications.
Table Usage Guide
The aws_kms_alias
table in Steampipe provides you with information about aliases within AWS Key Management Service (KMS). This table allows you, as a DevOps engineer, to query alias-specific details, including the alias name, alias ARN, and the key it is associated with. You can utilize this table to gather insights on aliases, such as the keys they are associated with and the ARNs of the aliases. The schema outlines the various attributes of the KMS alias for you, including the alias name, alias ARN, and associated key ID.
Examples
Basic info
Discover the segments that have been created within your AWS Key Management Service (KMS), including their unique identifiers and creation dates. This can help in identifying and managing your encryption keys, ensuring they are correctly configured and up to date.
select alias_name, title, arn, target_key_id, creation_datefrom aws_kms_alias;
select alias_name, title, arn, target_key_id, creation_datefrom aws_kms_alias;
List of KMS key alias where key rotation disabled on the key
Discover the segments where key rotation is disabled in AWS Key Management Service. This is useful in identifying potential security risks, as disabling key rotation can make cryptographic keys more susceptible to compromise.
select k.id as key_id, k.key_rotation_enabled as key_rotation_enabled, a.alias_name as alias_name, a.arn as alias_arnfrom aws_kms_key as k, aws_kms_alias as awhere k.id = a.target_key_id and not key_rotation_enabled;
select k.id as key_id, k.key_rotation_enabled as key_rotation_enabled, a.alias_name as alias_name, a.arn as alias_arnfrom aws_kms_key as k, aws_kms_alias as awhere k.id = a.target_key_id and key_rotation_enabled = 0;
List of KMS Customer Managed key alias that is scheduled for deletion
Determine the areas in which the AWS Key Management Service (KMS) has scheduled customer-managed keys for deletion. This allows you to proactively manage your encryption keys and mitigate potential security risks.
select a.alias_name as alias_name, k.id as key_id, k.key_state as key_state, k.deletion_date as key_deletion_datefrom aws_kms_key as k, aws_kms_alias as awhere k.id = a.target_key_id and key_state = 'PendingDeletion';
select a.alias_name as alias_name, k.id as key_id, k.key_state as key_state, k.deletion_date as key_deletion_datefrom aws_kms_key as k, aws_kms_alias as awhere k.id = a.target_key_id and key_state = 'PendingDeletion';
Count of aliases by key id
Determine the number of aliases associated with each unique key to understand the utilization and management of keys within your AWS Key Management Service.
select k.id as key_id, count(a.alias_name) as countfrom aws_kms_key as k left join aws_kms_alias as a on k.id = a.target_key_idgroup by key_id;
select k.id as key_id, count(a.alias_name) as countfrom aws_kms_key as k left join aws_kms_alias as a on k.id = a.target_key_idgroup by key_id;
Schema for aws_kms_alias
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
alias_name | text | String that contains the alias. This value begins with alias/. | |
arn | text | String that contains the key ARN. | |
creation_date | timestamp with time zone | Date and time that the alias was most recently created in the account and Region. | |
last_updated_date | timestamp with time zone | Date and time that the alias was most recently associated with a KMS key in the account and Region. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
target_key_id | text | String that contains the key identifier of the KMS key associated with the alias. | |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_kms_alias