v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
496Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_kms_key - Query AWS KMS Key using SQL

The AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data. It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. With AWS KMS, you can protect your keys from unauthorized use by defining key policies and IAM policies.

Table Usage Guide

The aws_kms_key table in Steampipe provides you with information about Key Management Service (KMS) keys within AWS. This table allows you, as a DevOps engineer, to query key-specific details, including cryptographic details, key usage, key state, and associated metadata. You can utilize this table to gather insights on keys, such as keys rotation status, key type, key state, and more. The schema outlines the various attributes of the KMS key for you, including the key ARN, creation date, key state, key usage, and associated tags.

Examples

Basic info

Explore which AWS Key Management Service (KMS) keys have been created and who manages them. This is useful for auditing security practices and understanding the distribution of access control within your AWS environment.

select
  id,
  title,
  arn,
  key_manager,
  creation_date
from
  aws_kms_key;
select
  id,
  title,
  arn,
  key_manager,
  creation_date
from
  aws_kms_key;

List of KMS keys where key rotation is not enabled

Identify instances where key rotation is not enabled for your AWS KMS keys. This can help enhance your security posture by revealing keys that may be vulnerable due to lack of regular rotation.

select
  id,
  key_rotation_enabled
from
  aws_kms_key
where
  not key_rotation_enabled;
select
  id,
  key_rotation_enabled
from
  aws_kms_key
where
  key_rotation_enabled = 0;

List of KMS Customer Managed keys scheduled for deletion

Identify instances where customer-managed keys are scheduled for deletion in the AWS Key Management Service. This can help in managing key lifecycle and preventing accidental loss of access to AWS resources.

select
  id,
  key_state,
  deletion_date
from
  aws_kms_key
where
  key_state = 'PendingDeletion';
select
  id,
  key_state,
  deletion_date
from
  aws_kms_key
where
  key_state = 'PendingDeletion';

List of unused Customer Managed Keys

Discover the segments that consist of inactive customer-managed keys, enabling you to identify potential areas for resource optimization and enhanced security management.

select
  id,
  enabled as key_enabled
from
  aws_kms_key
where
  not enabled;
select
  id,
  enabled as key_enabled
from
  aws_kms_key
where
  enabled = 0;

Count of AWS KMS keys by Key manager

Discover the segments that utilize AWS Key Management Service (KMS) keys by grouping them according to their key manager. This can provide insights into the distribution and management of your encryption keys, aiding in security audits and compliance reviews.

select
  key_manager,
  count(key_manager) as count
from
  aws_kms_key
group by
  key_manager;
select
  key_manager,
  count(key_manager) as count
from
  aws_kms_key
group by
  key_manager;

Query examples

Control examples

Schema for aws_kms_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
aliasesjsonbA list of aliases for the key.
arntextARN of the key.
aws_account_idtextThe twelve-digit account ID of the AWS account that owns the CMK.
creation_datetimestamp with time zoneThe date and time when the CMK was created.
customer_master_key_spectextDescribes the type of key material in the CMK.
deletion_datetimestamp with time zoneThe date and time after which AWS KMS deletes the CMK.
descriptiontextThe description of the CMK.
enabledbooleanSpecifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it is false.
idtext=Unique identifier of the key.
key_managertextThe manager of the CMK. CMKs in your AWS account are either customer managed or AWS managed.
key_rotation_enabledbooleanA Boolean value that specifies whether key rotation is enabled.
key_statetextThe current status of the CMK. For more information about how key state affects the use of a CMK, see [Key state: Effect on your CMK](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html).
key_usagetextThe [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the CMK.
origintextThe source of the CMK's key material. When this value is AWS_KMS, AWS KMS created the key material. When this value is EXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material. When this value is AWS_CLOUDHSM, the key material was created in the AWS CloudHSM cluster associated with a custom key store.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
policyjsonbA key policy document in JSON format.
policy_stdjsonbContains the policy in a canonical form for easier searching.
regiontextThe AWS Region in which the resource is located.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tags_srcjsonbA list of tags attached to key.
titletextTitle of the resource.
valid_totimestamp with time zoneThe time at which the imported key material expires.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_kms_key