gcp_alloydb_clustergcp_alloydb_instancegcp_apikeys_keygcp_app_engine_applicationgcp_artifact_registry_repositorygcp_audit_policygcp_bigquery_datasetgcp_bigquery_jobgcp_bigquery_tablegcp_bigtable_instancegcp_billing_accountgcp_billing_budgetgcp_cloud_assetgcp_cloud_identity_groupgcp_cloud_identity_group_membershipgcp_cloud_run_servicegcp_cloudfunctions_functiongcp_composer_environmentgcp_compute_addressgcp_compute_autoscalergcp_compute_backend_bucketgcp_compute_backend_servicegcp_compute_diskgcp_compute_disk_metric_read_opsgcp_compute_disk_metric_read_ops_dailygcp_compute_disk_metric_read_ops_hourlygcp_compute_disk_metric_write_opsgcp_compute_disk_metric_write_ops_dailygcp_compute_disk_metric_write_ops_hourlygcp_compute_firewallgcp_compute_forwarding_rulegcp_compute_global_addressgcp_compute_global_forwarding_rulegcp_compute_ha_vpn_gatewaygcp_compute_imagegcp_compute_instancegcp_compute_instance_groupgcp_compute_instance_metric_cpu_utilizationgcp_compute_instance_metric_cpu_utilization_dailygcp_compute_instance_metric_cpu_utilization_hourlygcp_compute_instance_templategcp_compute_machine_imagegcp_compute_machine_typegcp_compute_networkgcp_compute_node_groupgcp_compute_node_templategcp_compute_project_metadatagcp_compute_regiongcp_compute_resource_policygcp_compute_routegcp_compute_routergcp_compute_snapshotgcp_compute_ssl_policygcp_compute_subnetworkgcp_compute_target_https_proxygcp_compute_target_poolgcp_compute_target_ssl_proxygcp_compute_target_vpn_gatewaygcp_compute_url_mapgcp_compute_vpn_tunnelgcp_compute_zonegcp_dataplex_assetgcp_dataplex_lakegcp_dataplex_taskgcp_dataplex_zonegcp_dataproc_clustergcp_dataproc_metastore_servicegcp_dns_managed_zonegcp_dns_policygcp_dns_record_setgcp_iam_policygcp_iam_rolegcp_kms_keygcp_kms_key_ringgcp_kms_key_versiongcp_kubernetes_clustergcp_kubernetes_node_poolgcp_logging_bucketgcp_logging_exclusiongcp_logging_log_entrygcp_logging_metricgcp_logging_sinkgcp_monitoring_alert_policygcp_monitoring_groupgcp_monitoring_notification_channelgcp_organizationgcp_projectgcp_project_organization_policygcp_project_servicegcp_pubsub_snapshotgcp_pubsub_subscriptiongcp_pubsub_topicgcp_redis_instancegcp_secret_manager_secretgcp_service_accountgcp_service_account_keygcp_sql_backupgcp_sql_databasegcp_sql_database_instancegcp_sql_database_instance_metric_connectionsgcp_sql_database_instance_metric_connections_dailygcp_sql_database_instance_metric_connections_hourlygcp_sql_database_instance_metric_cpu_utilizationgcp_sql_database_instance_metric_cpu_utilization_dailygcp_sql_database_instance_metric_cpu_utilization_hourlygcp_storage_bucketgcp_storage_objectgcp_tag_bindinggcp_vertex_ai_endpointgcp_vertex_ai_modelgcp_vertex_ai_notebook_runtime_templategcp_vertex_ai_notebook_runtime_template,mdgcp_vpc_access_connector
Table: gcp_kms_key - Query Google Cloud KMS Keys using SQL
Google Cloud Key Management Service (KMS) is a cloud service for managing encryption keys on Google Cloud. This service allows you to generate, use, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used.
Table Usage Guide
The gcp_kms_key table provides insights into the cryptographic keys managed by Google Cloud KMS. As a security engineer, you can explore key-specific details through this table, including key versions, key state, and associated metadata. Utilize it to uncover information about key usage, rotation schedule, and the verification of key permissions.
Examples
Basic info
Explore which cryptographic keys in the Google Cloud Platform have been created and their rotation periods. This can be useful in managing the lifecycle of your keys and ensuring regular key rotation for enhanced security.
select name, create_time, rotation_periodfrom gcp_kms_key;select name, create_time, rotation_periodfrom gcp_kms_key;List keys older than 30 days
Explore which security keys have been in use for more than a month. This can help in maintaining security standards by regularly updating the keys.
select name, create_time, rotation_periodfrom gcp_kms_keywhere create_time <= (current_date - interval '30' day)order by create_time;select name, create_time, rotation_periodfrom gcp_kms_keywhere date(create_time) <= date('now', '-30 day')order by create_time;List keys with rotation period greater than 90 days (7776000 seconds)
Determine the areas in which encryption keys have a rotation period exceeding 90 days, a parameter that may be relevant for assessing the security measures in place within your GCP environment.
select name, create_time, rotation_periodfrom gcp_kms_keywhere split_part(rotation_period, 's', 1) :: int > 7776000;select name, create_time, rotation_periodfrom gcp_kms_keywhere cast( substr(rotation_period, 1, instr(rotation_period, 's') - 1) as integer ) > 7776000;List publicly accessible keys
The query helps identify any security risks by pinpointing instances where encryption keys are publicly accessible in your Google Cloud Platform. This can assist in maintaining data confidentiality and preventing unauthorized access.
select distinct name, key_ring_name, locationfrom gcp_kms_key, jsonb_array_elements(iam_policy -> 'bindings') as bwhere b -> 'members' ?| array [ 'allAuthenticatedUsers', 'allUsers' ];select distinct k.name, k.key_ring_name, k.locationfrom gcp_kms_key k, json_each(k.iam_policy, '$.bindings') as bwhere json_extract(b.value, '$.members') like '%allAuthenticatedUsers%' OR json_extract(b.value, '$.members') like '%allUsers%';Query examples
- kms_key_1_year_count
- kms_key_24_hours_count
- kms_key_30_90_days_count
- kms_key_30_days_count
- kms_key_90_365_days_count
- kms_key_age_table
- kms_key_algorithm
- kms_key_by_creation_month
- kms_key_by_location
- kms_key_by_project
- kms_key_count
- kms_key_key_ring_name
- kms_key_name_input
- kms_key_name_overview
- kms_key_name_tags
- kms_key_protection_level
- kms_key_purpose
- kms_key_rings_for_kms_key
- kms_key_rotation_period
- kms_keys_for_compute_disk
- kms_keys_for_kubernetes_cluster
- kms_keys_for_pubsub_topic
- kms_keys_for_sql_database_instance
- kms_keys_for_storage_bucket
- kms_rotation_disabled_count
- pubsub_topic_encryption_details
- sql_database_instance_encryption_detail
- storage_bucket_encryption_detail
- storage_bucket_encryption_table
Control examples
- Check that CMEK rotation policy is in place and is sufficiently short
- CIS v1.2.0 > 1 Identity and Access Management > 1.10 Ensure KMS encryption keys are rotated within a period of 90 days
- CIS v1.2.0 > 1 Identity and Access Management > 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- CIS v1.3.0 > 1 Identity and Access Management > 1.10 Ensure KMS encryption keys are rotated within a period of 90 days
- CIS v1.3.0 > 1 Identity and Access Management > 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- CIS v2.0.0 > 1 Identity and Access Management > 1.10 Ensure KMS encryption keys are rotated within a period of 90 days
- CIS v2.0.0 > 1 Identity and Access Management > 1.9 Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
- CIS v3.0.0 > 1 Identity and Access Management > 1.10 Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days
- CIS v3.0.0 > 1 Identity and Access Management > 1.9 Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
- Ensure KMS encryption keys are rotated within a period of 90 days
- Ensure KMS encryption keys has three or less than three number of users
- Ensure that Cloud KMS cryptokeys are not anonymously or publicly accessible
Schema for gcp_kms_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| create_time | timestamp with time zone | The time at which this CryptoKey was created. | |
| iam_policy | jsonb | An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A `Policy` is a collection of `bindings`. A `binding` binds one or more `members` to a single `role`. Members can be user accounts, service accounts, Google groups, and domains (such as G Suite). A `role` is a named list of permissions; each `role` can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a `binding` can also specify a `condition`, which is a logical expression that allows access to a resource only if the expression evaluates to `true`. | |
| key_ring_name | text | = | The resource name for the KeyRing. |
| labels | jsonb | Labels with user-defined metadata. | |
| location | text | = | The GCP multi-region, region, or zone in which the resource is located. |
| name | text | = | The resource name for the CryptoKey. |
| next_rotation_time | timestamp with time zone | At next rotation time, the Key Management Service will automatically: 1. Create a new version of this CryptoKey. 2.Mark the new version as primary. | |
| primary | jsonb | A copy of the primary CryptoKeyVersion that will be used by Encrypt when this CryptoKey is given in EncryptRequest.name. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| purpose | text | !=, = | The immutable purpose of this CryptoKey. |
| rotation_period | text | !=, = | Next rotation time will be advanced by this period when the service automatically rotates a key. |
| self_link | text | Server-defined URL for the resource. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| title | text | Title of the resource. | |
| version_template | jsonb | A template describing settings for new CryptoKeyVersion instances. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_kms_key