Table: gcp_kms_key_version - Query Google Cloud KMS Key Versions using SQL
Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services the same way you do on-premises. It provides the capability to create, import, manage, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used.
Table Usage Guide
The gcp_kms_key_version table provides insights into key versions within Google Cloud Key Management Service (KMS). As a security or compliance professional, explore key version-specific details through this table, including key material, state, and associated metadata. Utilize it to uncover information about key versions, such as those in use, the cryptographic configuration of each key version, and the verification of their lifecycle state.
Examples
Basic info
Explore the status of encryption keys in Google Cloud Platform's Key Management Service, excluding those that have been destroyed. This can be useful in identifying active keys and ensuring proper key management.
select key_name, crypto_key_version, title, statefrom gcp_kms_key_versionwhere state <> 'DESTROYED';select key_name, crypto_key_version, title, statefrom gcp_kms_key_versionwhere state <> 'DESTROYED';List key versions older than 30 days
Explore which key versions in Google Cloud's Key Management Service are older than 30 days and have not been destroyed. This can help identify outdated keys that might need updating or deletion for security purposes.
select key_name, create_time, crypto_key_version, statefrom gcp_kms_key_versionwhere create_time <= (current_date - interval '30' day) and state <> 'DESTROYED'order by create_time;select key_name, create_time, crypto_key_version, statefrom gcp_kms_key_versionwhere date(create_time) <= date('now', '-30 days') and state <> 'DESTROYED'order by create_time;List key versions using google symmetric encryption algorithm
Explore which encryption keys are using the Google Symmetric Encryption algorithm. This can help you assess the security measures in place and ensure that they are up to date.
select key_name, create_time, crypto_key_version, algorithmfrom gcp_kms_key_versionwhere algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'order by create_time;select key_name, create_time, crypto_key_version, algorithmfrom gcp_kms_key_versionwhere algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'order by create_time;List disabled keys
Analyze the settings to understand which keys have been disabled in the GCP Key Management System. This can be useful for identifying potential security risks and ensuring proper key management.
select key_name, max(crypto_key_version) crypto_key_version, statefrom gcp_kms_key_versionwhere state like 'DISABLED'group by key_name, state;select key_name, max(crypto_key_version) as crypto_key_version, statefrom gcp_kms_key_versionwhere state like 'DISABLED'group by key_name, state;Query examples
Schema for gcp_kms_key_version
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| algorithm | text | The CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports. | |
| attestation | jsonb | Statement that was generated and signed by the HSM at key creation time. | |
| create_time | timestamp with time zone | The time at which this CryptoKeyVersion was created. | |
| crypto_key_version | bigint | = | The CryptoKeyVersion of the resource. |
| destroy_event_time | timestamp with time zone | The time this CryptoKeyVersion's key material was destroyed. | |
| destroy_time | timestamp with time zone | The time this CryptoKeyVersion's key material is scheduled for destruction. | |
| external_key_uri | text | The URI for an external resource that this CryptoKeyVersion represents. | |
| generate_time | timestamp with time zone | The time this CryptoKeyVersion's key material was generated. | |
| import_failure_reason | text | The root cause of an import failure. | |
| import_job | text | The name of the ImportJob used to import this CryptoKeyVersion. | |
| key_name | text | = | The resource name for the CryptoKeyVersion. |
| key_ring_name | text | = | The resource name for the KeyRing. |
| location | text | = | The GCP multi-region, region, or zone in which the resource is located. |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| protection_level | text | The ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion. | |
| self_link | text | Server-defined URL for the resource. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| state | text | The current state of the CryptoKeyVersion. | |
| title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_kms_key_version