steampipe plugin install oci

Table: oci_kms_key - Query OCI Key Management Service Keys using SQL

Oracle Cloud Infrastructure's Key Management service enables you to manage the cryptographic keys used to protect your data. This service provides centralized key management, key lifecycle management, and cryptographic operations. It allows you to create, import, use, rotate, disable, and delete cryptographic keys.

Table Usage Guide

The oci_kms_key table provides insights into the keys within OCI Key Management Service. As a security engineer, explore key-specific details through this table, including key lifecycle states, creation time, and associated metadata. Utilize it to uncover information about keys, such as those nearing their expiration, the cryptographic algorithm used, and the verification of key usage.

Examples

Basic info

Explore the lifecycle state and creation time of your keys in Oracle Cloud Infrastructure's Key Management service. This can help you manage your keys effectively by identifying any keys that are outdated or in an undesirable state.

select
id,
name,
lifecycle_state,
time_created,
vault_name
from
oci_kms_key;
select
id,
name,
lifecycle_state,
time_created,
vault_name
from
oci_kms_key;

List keys that are not enabled

Discover the segments that consist of keys not currently enabled. This is useful to identify potential security risks or areas for system optimization.

select
id,
name,
lifecycle_state,
vault_name
from
oci_kms_key
where
lifecycle_state <> 'ENABLED';
select
id,
name,
lifecycle_state,
vault_name
from
oci_kms_key
where
lifecycle_state <> 'ENABLED';

List keys older than 365 days

Determine the areas in which encryption keys have been in use for over a year. This could be useful for identifying outdated security measures and ensuring a regular update cycle for enhanced data protection.

select
id,
name,
lifecycle_state,
vault_name
from
oci_kms_key
where
time_created <= (current_date - interval '365' day)
order by
time_created;
select
id,
name,
lifecycle_state,
vault_name
from
oci_kms_key
where
time_created <= date('now', '-365 day')
order by
time_created;

Schema for oci_kms_key

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
algorithmtext=The algorithm used by a key's key versions to encrypt or decrypt.
compartment_idtextThe OCID of the compartment in Tenant in which the resource is located.
current_key_versiontextThe OCID of the key version used in cryptographic operations.
curve_idtext=Supported curve Ids for ECDSA keys.
defined_tagsjsonbDefined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources.
freeform_tagsjsonbFree-form tags for resource. This tags can be applied by any user with permissions on the resource.
idtextThe OCID of the key.
lengthbigint=The length of the key.
lifecycle_statetextThe key's current lifecycle state.
management_endpointtextThe service endpoint to perform management operations against.
nametextA user-friendly name of the key. Does not have to be unique, and it's changeable.
protection_modetext=The key's protection mode indicates how the key persists and where cryptographic operations that use the key are performed.
regiontextThe OCI region in which the resource is located.
restored_from_key_idtextThe OCID of the key from which this key was restored.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tenant_idtext=, !=, ~~, ~~*, !~~, !~~*The OCID of the Tenant in which the resource is located.
tenant_nametextThe name of the Tenant in which the resource is located.
time_createdtimestamp with time zoneThe date and time the key was created.
time_of_deletiontimestamp with time zoneAn optional property indicating when to delete the key.
titletextTitle of the resource.
vault_idtextThe OCID of the vault that contains the key.
vault_nametextThe display name of the vault that contains the key.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- oci

You can pass the configuration to the command with the --config argument:

steampipe_export_oci --config '<your_config>' oci_kms_key