steampipe plugin install ibm

Table: ibm_kms_key - Query IBM Key Protect Keys using SQL

IBM Key Protect is a cloud-based security service that provides lifecycle management for encryption keys that are used in IBM Cloud services or customer-built applications. The service provides a simple and scalable way to manage keys, including creating, importing, storing, and disposing of them. IBM Key Protect helps to facilitate secure cloud data protection and key management at scale.

Table Usage Guide

The ibm_kms_key table provides insights into keys within IBM Key Protect. As a security or DevOps engineer, explore key-specific details through this table, including key ID, key name, and key creation date. Utilize it to uncover information about keys, such as their lifecycle status, the associated instances, and the verification of key policies.

Examples

Basic info

Analyze the settings to understand the status and creation date of IBM Key Management Service keys, which can be useful in managing and auditing key usage across your IBM Cloud services.

select
name,
id,
crn,
instance_id,
state,
creation_date
from
ibm_kms_key;
select
name,
id,
crn,
instance_id,
state,
creation_date
from
ibm_kms_key;

List keys older than 30 days

Explore which encryption keys have been in existence for over a month. This can be useful for managing and auditing key lifecycles, ensuring old and potentially vulnerable keys are replaced or retired.

select
name,
id,
crn,
instance_id,
state,
creation_date
from
ibm_kms_key
where
creation_date <= (current_date - interval '30' day)
order by
creation_date;
select
name,
id,
crn,
instance_id,
state,
creation_date
from
ibm_kms_key
where
creation_date <= date('now', '-30 day')
order by
creation_date;

List keys by key ring

Determine the areas in which specific keys are associated with a given key ring. This can help in managing and organizing your encryption keys, enhancing your security strategy.

select
name,
id,
crn,
instance_id,
state,
creation_date,
key_ring_id
from
ibm_kms_key
where
key_ring_id = 'steampipe';
select
name,
id,
crn,
instance_id,
state,
creation_date,
key_ring_id
from
ibm_kms_key
where
key_ring_id = 'steampipe';

Schema for ibm_kms_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The ID fof the account.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
algorithm_typetextSpecifies the key algorithm.
aliasesjsonbA list of key aliases.
created_bytextThe unique identifier for the resource that created the key.
creation_datetimestamp with time zoneThe timestamp when the key material was created.
crntextThe Cloud Resource Name (CRN) that uniquely identifies your cloud resources.
deletedbooleanIndicates whether the key has been deleted, or not.
deleted_bytextThe unique identifier for the resource that deleted the key.
deletion_datetimestamp with time zoneThe date the key material was destroyed.
descriptiontextA text field used to provide a more detailed description of the key.
dual_auth_deletejsonbMetadata that indicates the status of a dual authorization policy on the key.
encrypted_noncetext
encryption_algorithmtext
expirationtimestamp with time zoneThe date the key material will expire.
extractablebooleanIndicates whether the key material can leave the service, or not.
idtext=An unique identifier of the key.
importedbooleanIndicates whether the key was originally imported or generated in Key Protect.
instance_idtext=The key protect instance GUID.
key_ring_idtext=An ID that identifies the key ring.
key_versionjsonbProperties associated with a specific key version.
last_rotate_datetimestamp with time zoneThe date when the key was last rotated.
last_update_datetimestamp with time zoneThe date when the key metadata was last modified.
nametextA human-readable name assigned to your key for convenience.
payloadtextSpecifies the key payload.
regiontextThe region of this key.
rotation_policyjsonbKey rotation policy.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
statetextThe key state based on NIST SP 800-57. States are integers and correspond to the Pre-activation = 0, Active = 1, Suspended = 2, Deactivated = 3, and Destroyed = 5 values.
tagsjsonbA map of tags for the resource.
titletextTitle of the resource.
typetextSpecifies the MIME type that represents the key resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ibm

You can pass the configuration to the command with the --config argument:

steampipe_export_ibm --config '<your_config>' ibm_kms_key