steampipe plugin install gcp

Table: gcp_kms_key_version - Query Google Cloud KMS Key Versions using SQL

Google Cloud Key Management Service (KMS) is a cloud service for managing cryptographic keys for your cloud services the same way you do on-premises. It provides the capability to create, import, manage, rotate, and destroy AES256, RSA 2048, RSA 3072, RSA 4096, EC P256, and EC P384 cryptographic keys. KMS is integrated with Cloud IAM and Cloud Audit Logging so that you can manage permissions on individual keys and monitor how these are used.

Table Usage Guide

The gcp_kms_key_version table provides insights into key versions within Google Cloud Key Management Service (KMS). As a security or compliance professional, explore key version-specific details through this table, including key material, state, and associated metadata. Utilize it to uncover information about key versions, such as those in use, the cryptographic configuration of each key version, and the verification of their lifecycle state.

Examples

Basic info

Explore the status of encryption keys in Google Cloud Platform's Key Management Service, excluding those that have been destroyed. This can be useful in identifying active keys and ensuring proper key management.

select
key_name,
crypto_key_version,
title,
state
from
gcp_kms_key_version
where
state <> 'DESTROYED';
select
key_name,
crypto_key_version,
title,
state
from
gcp_kms_key_version
where
state <> 'DESTROYED';

List key versions older than 30 days

Explore which key versions in Google Cloud's Key Management Service are older than 30 days and have not been destroyed. This can help identify outdated keys that might need updating or deletion for security purposes.

select
key_name,
create_time,
crypto_key_version,
state
from
gcp_kms_key_version
where
create_time <= (current_date - interval '30' day)
and state <> 'DESTROYED'
order by
create_time;
select
key_name,
create_time,
crypto_key_version,
state
from
gcp_kms_key_version
where
date(create_time) <= date('now', '-30 days')
and state <> 'DESTROYED'
order by
create_time;

List key versions using google symmetric encryption algorithm

Explore which encryption keys are using the Google Symmetric Encryption algorithm. This can help you assess the security measures in place and ensure that they are up to date.

select
key_name,
create_time,
crypto_key_version,
algorithm
from
gcp_kms_key_version
where
algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'
order by
create_time;
select
key_name,
create_time,
crypto_key_version,
algorithm
from
gcp_kms_key_version
where
algorithm like 'GOOGLE_SYMMETRIC_ENCRYPTION'
order by
create_time;

List disabled keys

Analyze the settings to understand which keys have been disabled in the GCP Key Management System. This can be useful for identifying potential security risks and ensuring proper key management.

select
key_name,
max(crypto_key_version) crypto_key_version,
state
from
gcp_kms_key_version
where
state like 'DISABLED'
group by
key_name,
state;
select
key_name,
max(crypto_key_version) as crypto_key_version,
state
from
gcp_kms_key_version
where
state like 'DISABLED'
group by
key_name,
state;

Schema for gcp_kms_key_version

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
algorithmtextThe CryptoKeyVersionAlgorithm that this CryptoKeyVersion supports.
attestationjsonbStatement that was generated and signed by the HSM at key creation time.
create_timetimestamp with time zoneThe time at which this CryptoKeyVersion was created.
crypto_key_versionbigint=The CryptoKeyVersion of the resource.
destroy_event_timetimestamp with time zoneThe time this CryptoKeyVersion's key material was destroyed.
destroy_timetimestamp with time zoneThe time this CryptoKeyVersion's key material is scheduled for destruction.
external_key_uritextThe URI for an external resource that this CryptoKeyVersion represents.
generate_timetimestamp with time zoneThe time this CryptoKeyVersion's key material was generated.
import_failure_reasontextThe root cause of an import failure.
import_jobtextThe name of the ImportJob used to import this CryptoKeyVersion.
key_nametext=The resource name for the CryptoKeyVersion.
key_ring_nametext=The resource name for the KeyRing.
locationtext=The GCP multi-region, region, or zone in which the resource is located.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
protection_leveltextThe ProtectionLevel describing how crypto operations are performed with this CryptoKeyVersion.
self_linktextServer-defined URL for the resource.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statetextThe current state of the CryptoKeyVersion.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_kms_key_version