oci_adm_knowledge_baseoci_adm_vulnerability_auditoci_ai_anomaly_detection_ai_private_endpointoci_ai_anomaly_detection_data_assetoci_ai_anomaly_detection_modeloci_ai_anomaly_detection_projectoci_analytics_instanceoci_apigateway_apioci_application_migration_migrationoci_application_migration_sourceoci_artifacts_container_imageoci_artifacts_container_image_signatureoci_artifacts_container_repositoryoci_artifacts_generic_artifactoci_artifacts_repositoryoci_autoscaling_auto_scaling_configurationoci_autoscaling_auto_scaling_policyoci_bastion_bastionoci_bastion_sessionoci_bds_bds_instanceoci_budget_alert_ruleoci_budget_budgetoci_certificates_authority_bundleoci_certificates_management_associationoci_certificates_management_ca_bundleoci_certificates_management_certificateoci_certificates_management_certificate_authorityoci_certificates_management_certificate_authority_versionoci_certificates_management_certificate_versionoci_cloud_guard_configurationoci_cloud_guard_detector_recipeoci_cloud_guard_managed_listoci_cloud_guard_responder_recipeoci_cloud_guard_targetoci_container_instances_containeroci_container_instances_container_instanceoci_containerengine_clusteroci_core_block_volume_replicaoci_core_boot_volumeoci_core_boot_volume_attachmentoci_core_boot_volume_backupoci_core_boot_volume_metric_read_opsoci_core_boot_volume_metric_read_ops_dailyoci_core_boot_volume_metric_read_ops_hourlyoci_core_boot_volume_metric_write_opsoci_core_boot_volume_metric_write_ops_dailyoci_core_boot_volume_metric_write_ops_hourlyoci_core_boot_volume_replicaoci_core_cluster_networkoci_core_dhcp_optionsoci_core_drgoci_core_imageoci_core_image_customoci_core_instanceoci_core_instance_configurationoci_core_instance_metric_cpu_utilizationoci_core_instance_metric_cpu_utilization_dailyoci_core_instance_metric_cpu_utilization_hourlyoci_core_internet_gatewayoci_core_load_balanceroci_core_local_peering_gatewayoci_core_nat_gatewayoci_core_network_load_balanceroci_core_network_security_groupoci_core_public_ipoci_core_public_ip_pooloci_core_route_tableoci_core_security_listoci_core_service_gatewayoci_core_subnetoci_core_vcnoci_core_vnic_attachmentoci_core_volumeoci_core_volume_attachmentoci_core_volume_backupoci_core_volume_backup_policyoci_core_volume_default_backup_policyoci_core_volume_groupoci_database_autonomous_databaseoci_database_autonomous_db_metric_cpu_utilizationoci_database_autonomous_db_metric_cpu_utilization_dailyoci_database_autonomous_db_metric_cpu_utilization_hourlyoci_database_autonomous_db_metric_storage_utilizationoci_database_autonomous_db_metric_storage_utilization_dailyoci_database_autonomous_db_metric_storage_utilization_hourlyoci_database_cloud_vm_clusteroci_database_dboci_database_db_homeoci_database_db_systemoci_database_exadata_infrastructureoci_database_pluggable_databaseoci_database_software_imageoci_devops_projectoci_devops_repositoryoci_dns_rrsetoci_dns_tsig_keyoci_dns_zoneoci_events_ruleoci_file_storage_file_systemoci_file_storage_mount_targetoci_file_storage_snapshotoci_functions_applicationoci_functions_functionoci_identity_api_keyoci_identity_auth_tokenoci_identity_authentication_policyoci_identity_availability_domainoci_identity_compartmentoci_identity_customer_secret_keyoci_identity_db_credentialoci_identity_domainoci_identity_dynamic_groupoci_identity_groupoci_identity_network_sourceoci_identity_policyoci_identity_tag_defaultoci_identity_tag_namespaceoci_identity_tenancyoci_identity_useroci_kms_keyoci_kms_key_versionoci_kms_vaultoci_logging_logoci_logging_log_groupoci_logging_searchoci_mysql_backupoci_mysql_channeloci_mysql_configurationoci_mysql_configuration_customoci_mysql_db_systemoci_mysql_db_system_metric_connectionsoci_mysql_db_system_metric_connections_dailyoci_mysql_db_system_metric_connections_hourlyoci_mysql_db_system_metric_cpu_utilizationoci_mysql_db_system_metric_cpu_utilization_dailyoci_mysql_db_system_metric_cpu_utilization_hourlyoci_mysql_db_system_metric_memory_utilizationoci_mysql_db_system_metric_memory_utilization_dailyoci_mysql_heat_wave_clusteroci_network_firewall_firewalloci_network_firewall_policyoci_nosql_tableoci_nosql_table_metric_read_throttle_countoci_nosql_table_metric_read_throttle_count_dailyoci_nosql_table_metric_read_throttle_count_hourlyoci_nosql_table_metric_storage_utilizationoci_nosql_table_metric_storage_utilization_dailyoci_nosql_table_metric_storage_utilization_hourlyoci_nosql_table_metric_write_throttle_countoci_nosql_table_metric_write_throttle_count_dailyoci_nosql_table_metric_write_throttle_count_hourlyoci_objectstorage_bucketoci_objectstorage_objectoci_ons_notification_topicoci_ons_subscriptionoci_queue_queueoci_regionoci_resource_searchoci_resourcemanager_stackoci_streaming_streamoci_vault_secret
Table: oci_kms_key - Query OCI Key Management Service Keys using SQL
Oracle Cloud Infrastructure's Key Management service enables you to manage the cryptographic keys used to protect your data. This service provides centralized key management, key lifecycle management, and cryptographic operations. It allows you to create, import, use, rotate, disable, and delete cryptographic keys.
Table Usage Guide
The oci_kms_key table provides insights into the keys within OCI Key Management Service. As a security engineer, explore key-specific details through this table, including key lifecycle states, creation time, and associated metadata. Utilize it to uncover information about keys, such as those nearing their expiration, the cryptographic algorithm used, and the verification of key usage.
Examples
Basic info
Explore the lifecycle state and creation time of your keys in Oracle Cloud Infrastructure's Key Management service. This can help you manage your keys effectively by identifying any keys that are outdated or in an undesirable state.
select id, name, lifecycle_state, time_created, vault_namefrom oci_kms_key;select id, name, lifecycle_state, time_created, vault_namefrom oci_kms_key;List keys that are not enabled
Discover the segments that consist of keys not currently enabled. This is useful to identify potential security risks or areas for system optimization.
select id, name, lifecycle_state, vault_namefrom oci_kms_keywhere lifecycle_state <> 'ENABLED';select id, name, lifecycle_state, vault_namefrom oci_kms_keywhere lifecycle_state <> 'ENABLED';List keys older than 365 days
Determine the areas in which encryption keys have been in use for over a year. This could be useful for identifying outdated security measures and ensuring a regular update cycle for enhanced data protection.
select id, name, lifecycle_state, vault_namefrom oci_kms_keywhere time_created <= (current_date - interval '365' day)order by time_created;select id, name, lifecycle_state, vault_namefrom oci_kms_keywhere time_created <= date('now', '-365 day')order by time_created;Query examples
- blockstorage_block_volume_encryption
- blockstorage_boot_volume_encryption
- filestorage_filesystem_encryption
- kms_hsm_key_count
- kms_key_1_year
- kms_key_24_hrs
- kms_key_30_days
- kms_key_365_days
- kms_key_90_days
- kms_key_age_report
- kms_key_by_compartment
- kms_key_by_creation_month
- kms_key_by_protection_mode
- kms_key_by_region
- kms_key_by_tenancy
- kms_key_count
- kms_key_detail
- kms_key_disabled
- kms_key_disabled_count
- kms_key_input
- kms_key_overview
- kms_key_protection_mode
- kms_key_tag
- kms_key_versions_for_kms_key
- kms_keys_for_kms_vault
- kms_vault_1_year
- kms_vault_24_hrs
- kms_vault_30_days
- kms_vault_365_days
- kms_vault_90_days
- kms_vaults_for_blockstorage_block_volume
- kms_vaults_for_blockstorage_boot_volume
- kms_vaults_for_filestorage_file_system
- kms_vaults_for_kms_key
- kms_vaults_for_objectstorage_bucket
Control examples
- CIS v1.1.0 > 3 Logging and Monitoring > 3.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually
- CIS v1.2.0 > 3 Logging and Monitoring > 3.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually
- CIS v2.0.0 > 4 Logging and Monitoring > 4.16 Ensure customer created Customer Managed Key (CMK) is rotated at least annually
Schema for oci_kms_key
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| algorithm | text | = | The algorithm used by a key's key versions to encrypt or decrypt. |
| compartment_id | text | The OCID of the compartment in Tenant in which the resource is located. | |
| current_key_version | text | The OCID of the key version used in cryptographic operations. | |
| curve_id | text | = | Supported curve Ids for ECDSA keys. |
| defined_tags | jsonb | Defined tags for resource. Defined tags are set up in your tenancy by an administrator. Only users granted permission to work with the defined tags can apply them to resources. | |
| freeform_tags | jsonb | Free-form tags for resource. This tags can be applied by any user with permissions on the resource. | |
| id | text | The OCID of the key. | |
| length | bigint | = | The length of the key. |
| lifecycle_state | text | The key's current lifecycle state. | |
| management_endpoint | text | The service endpoint to perform management operations against. | |
| name | text | A user-friendly name of the key. Does not have to be unique, and it's changeable. | |
| protection_mode | text | = | The key's protection mode indicates how the key persists and where cryptographic operations that use the key are performed. |
| region | text | The OCI region in which the resource is located. | |
| restored_from_key_id | text | The OCID of the key from which this key was restored. | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| tags | jsonb | A map of tags for the resource. | |
| tenant_id | text | =, !=, ~~, ~~*, !~~, !~~* | The OCID of the Tenant in which the resource is located. |
| tenant_name | text | The name of the Tenant in which the resource is located. | |
| time_created | timestamp with time zone | The date and time the key was created. | |
| time_of_deletion | timestamp with time zone | An optional property indicating when to delete the key. | |
| title | text | Title of the resource. | |
| vault_id | text | The OCID of the vault that contains the key. | |
| vault_name | text | The display name of the vault that contains the key. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- ociYou can pass the configuration to the command with the --config argument:
steampipe_export_oci --config '<your_config>' oci_kms_key