Table: gcp_kms_key_version - Query Google Cloud KMS Key Versions using SQL

Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services the same way you do on-premises. It provides the capability to create, import, manage, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used.

Table Usage Guide

The gcp_kms_key_version table provides insights into key versions within Google Cloud Key Management Service (KMS). As a security or compliance professional, explore key version-specific details through this table, including key material, state, and associated metadata. Utilize it to uncover information about key versions, such as those in use, the cryptographic configuration of each key version, and the verification of their lifecycle state.

Examples

Basic info

Explore the status of encryption keys in Google Cloud Platform's Key Management Service, excluding those that have been destroyed. This can be useful in identifying active keys and ensuring proper key management.

select
  key_name,
  crypto_key_version,
  title,
  state
from
  gcp_kms_key_version
where
  state <> 'DESTROYED';

select
  key_name,
  crypto_key_version,
  title,
  state
from
  gcp_kms_key_version
where
  state <> 'DESTROYED';

List key versions older than 30 days

Explore which key versions in Google Cloud's Key Management Service are older than 30 days and have not been destroyed. This can help identify outdated keys that might need updating or deletion for security purposes.

select
  key_name,
  create_time,
  crypto_key_version,
  state
from
  gcp_kms_key_version
where
  create_time <= (current_date - interval '30' day)
  and state <> 'DESTROYED'
order by
  create_time;

select
  key_name,
  create_time,
  crypto_key_version,
  state
from
  gcp_kms_key_version
where
  date(create_time) <= date('now', '-30 days')
  and state <> 'DESTROYED'
order by
  create_time;

List key versions using google symmetric encryption algorithm

Explore which encryption keys are using the Google Symmetric Encryption algorithm. This can help you assess the security measures in place and ensure that they are up to date.

select
  key_name,
  create_time,
  crypto_key_version,
  algorithm
from
  gcp_kms_key_version
where
  algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'
order by
  create_time;

select
  key_name,
  create_time,
  crypto_key_version,
  algorithm
from
  gcp_kms_key_version
where
  algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'
order by
  create_time;

List disabled keys

Analyze the settings to understand which keys have been disabled in the GCP Key Management System. This can be useful for identifying potential security risks and ensuring proper key management.

select
  key_name,
  max(crypto_key_version) crypto_key_version,
  state
from
  gcp_kms_key_version
where
  state like 'DISABLED'
group by
  key_name,
  state;

select
  key_name,
  max(crypto_key_version) as crypto_key_version,
  state
from
  gcp_kms_key_version
where
  state like 'DISABLED'
group by
  key_name,
  state;

Query examples

Schema for gcp_kms_key_version

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
algorithm	text		The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestation	jsonb		Statement that was generated and signed by the HSM at key creation time.
create_time	timestamp with time zone		The time at which this CryptoKeyVersion was created.
crypto_key_version	bigint	=	The CryptoKeyVersion of the resource.
destroy_event_time	timestamp with time zone		The time this CryptoKeyVersion's key material was destroyed.
destroy_time	timestamp with time zone		The time this CryptoKeyVersion's key material is scheduled for destruction.
external_key_uri	text		The URI for an external resource that this CryptoKeyVersion represents.
generate_time	timestamp with time zone		The time this CryptoKeyVersion's key material was generated.
import_failure_reason	text		The root cause of an import failure.
import_job	text		The name of the ImportJob used to import this CryptoKeyVersion.
key_name	text	=	The resource name for the CryptoKeyVersion.
key_ring_name	text	=	The resource name for the KeyRing.
location	text	=	The GCP multi-region, region, or zone in which the resource is located.
project	text		The GCP Project in which the resource is located.
protection_level	text		The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
self_link	text		Server-defined URL for the resource.
state	text		The current state of the CryptoKeyVersion.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_kms_key_version