Table: aws_kms_key - Query AWS KMS Key using SQL
The AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the cryptographic keys used to encrypt your data. It provides a highly available key storage, management, and auditing solution for you to encrypt data within your own applications and control the encryption of stored data across AWS services. With AWS KMS, you can protect your keys from unauthorized use by defining key policies and IAM policies.
Table Usage Guide
The aws_kms_key
table in Steampipe provides you with information about Key Management Service (KMS) keys within AWS. This table allows you, as a DevOps engineer, to query key-specific details, including cryptographic details, key usage, key state, and associated metadata. You can utilize this table to gather insights on keys, such as keys rotation status, key type, key state, and more. The schema outlines the various attributes of the KMS key for you, including the key ARN, creation date, key state, key usage, and associated tags.
Examples
Basic info
Explore which AWS Key Management Service (KMS) keys have been created and who manages them. This is useful for auditing security practices and understanding the distribution of access control within your AWS environment.
select id, title, arn, key_manager, creation_datefrom aws_kms_key;
select id, title, arn, key_manager, creation_datefrom aws_kms_key;
List of KMS keys where key rotation is not enabled
Identify instances where key rotation is not enabled for your AWS KMS keys. This can help enhance your security posture by revealing keys that may be vulnerable due to lack of regular rotation.
select id, key_rotation_enabledfrom aws_kms_keywhere not key_rotation_enabled;
select id, key_rotation_enabledfrom aws_kms_keywhere key_rotation_enabled = 0;
List of KMS Customer Managed keys scheduled for deletion
Identify instances where customer-managed keys are scheduled for deletion in the AWS Key Management Service. This can help in managing key lifecycle and preventing accidental loss of access to AWS resources.
select id, key_state, deletion_datefrom aws_kms_keywhere key_state = 'PendingDeletion';
select id, key_state, deletion_datefrom aws_kms_keywhere key_state = 'PendingDeletion';
List of unused Customer Managed Keys
Discover the segments that consist of inactive customer-managed keys, enabling you to identify potential areas for resource optimization and enhanced security management.
select id, enabled as key_enabledfrom aws_kms_keywhere not enabled;
select id, enabled as key_enabledfrom aws_kms_keywhere enabled = 0;
Count of AWS KMS keys by Key manager
Discover the segments that utilize AWS Key Management Service (KMS) keys by grouping them according to their key manager. This can provide insights into the distribution and management of your encryption keys, aiding in security audits and compliance reviews.
select key_manager, count(key_manager) as countfrom aws_kms_keygroup by key_manager;
select key_manager, count(key_manager) as countfrom aws_kms_keygroup by key_manager;
Schema for aws_kms_key
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
aliases | jsonb | A list of aliases for the key. | |
arn | text | ARN of the key. | |
aws_account_id | text | The twelve-digit account ID of the AWS account that owns the CMK. | |
creation_date | timestamp with time zone | The date and time when the CMK was created. | |
customer_master_key_spec | text | Describes the type of key material in the CMK. | |
deletion_date | timestamp with time zone | The date and time after which AWS KMS deletes the CMK. | |
description | text | The description of the CMK. | |
enabled | boolean | Specifies whether the CMK is enabled. When KeyState is Enabled this value is true, otherwise it is false. | |
id | text | = | Unique identifier of the key. |
key_manager | text | The manager of the CMK. CMKs in your AWS account are either customer managed or AWS managed. | |
key_rotation_enabled | boolean | A Boolean value that specifies whether key rotation is enabled. | |
key_state | text | The current status of the CMK. For more information about how key state affects the use of a CMK, see [Key state: Effect on your CMK](https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). | |
key_usage | text | The [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) for which you can use the CMK. | |
multi_region | boolean | Specifies whether the CMK is KMS key is a multi-Region (true) or regional (false) key. | |
multi_region_configuration | jsonb | Lists the primary and replica keys in same multi-Region key. | |
origin | text | The source of the CMK's key material. When this value is AWS_KMS, AWS KMS created the key material. When this value is EXTERNAL, the key material was imported from your existing key management infrastructure or the CMK lacks key material. When this value is AWS_CLOUDHSM, the key material was created in the AWS CloudHSM cluster associated with a custom key store. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
policy | jsonb | A key policy document in JSON format. | |
policy_std | jsonb | Contains the policy in a canonical form for easier searching. | |
region | text | The AWS Region in which the resource is located. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags attached to key. | |
title | text | Title of the resource. | |
valid_to | timestamp with time zone | The time at which the imported key material expires. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_kms_key