aws.kms-key
Filters
cross-account
Filter KMS keys which have cross account permissions
- example:
policies:
- name: check-kms-key-cross-account
resource: kms-key
filters:
- type: cross-account
properties:
actions:
items:
type: string
type: array
everyone_only:
type: boolean
return_allowed:
type: boolean
type:
enum:
- cross-account
whitelist:
items:
type: string
type: array
whitelist_conditions:
items:
type: string
type: array
whitelist_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_orgids:
items:
type: string
type: array
whitelist_orgids_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_patterns:
items:
type: string
type: array
whitelist_patterns_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpc:
items:
type: string
type: array
whitelist_vpc_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
whitelist_vpce:
items:
type: string
type: array
whitelist_vpce_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
required:
- type
Permissions - kms:GetKeyPolicy
json-diff
Compute the diff from the current resource to a previous version.
A resource matches the filter if a diff exists between the current resource and the selected revision.
Utilizes config as a resource revision database.
Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).
properties:
selector:
enum:
- previous
- date
- locked
selector_value:
type: string
type:
enum:
- json-diff
required:
- type
Permissions - config:GetResourceConfigHistory
key-rotation-status
Filters KMS keys by the rotation status
- example:
policies:
- name: kms-key-disabled-rotation
resource: kms-key
filters:
- type: key-rotation-status
key: KeyRotationEnabled
value: false
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
tag_key_transforms:
items:
type: string
type: array
type:
enum:
- key-rotation-status
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:GetKeyRotationStatus
last-rotation
Queries KMS keys by the last time they were rotated.
- example:
policies:
- name: kms-not-rotated-in-last-30
resource: kms-key
filters:
- type: last-rotation
key: RotationDate
value: 30
value_type: age
op: gte
properties:
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
tag_key_transforms:
items:
type: string
type: array
type:
enum:
- last-rotation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
query:
type: string
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- type
Permissions - kms:ListKeyRotations
last-usage
Filters KMS keys by their last usage information.
Uses the GetKeyLastUsage API to retrieve key usage metadata,
enabling multi-attribute matching on last usage timestamp, operation,
tracking start date, and key creation date in a single filter.
The response fields are returned as a single item for filtering:
KeyLastUsage.Timestamp- when the key was last used (absent if never used)KeyLastUsage.Operation- the last cryptographic operation performedKeyLastUsage.CloudTrailEventId- CloudTrail event ID for the last operationKeyLastUsage.KmsRequestId- KMS request ID for the last operationTrackingStartDate- when usage tracking began for this keyKeyCreationDate- when the key was created
If the key has never been used since tracking began, KeyLastUsage
will be empty.
For more details, see: https://docs.aws.amazon.com/kms/latest/developerguide/monitoring-keys-determining-usage.html
Warning
Do not use GetKeyLastUsage as the sole indicator when scheduling
a key for deletion. Instead, first disable the key and monitor
CloudTrail for DisabledException entries, as there could be
infrequent workflows that depend on the key.
- example:
Find keys not used in the last 30 days:
policies:
- name: kms-unused-keys-30-days
resource: kms-key
filters:
- type: last-usage
attrs:
- type: value
key: KeyLastUsage.Timestamp
value: 30
value_type: age
op: gte
Find keys that have never been used since tracking began:
- name: kms-never-used-keys
resource: kms-key
filters:
- type: last-usage
attrs:
- type: value
key: KeyLastUsage.Timestamp
value: absent
Find keys last used for Decrypt with usage tracked since a specific date:
- name: kms-keys-decrypt-recent-tracking
resource: kms-key
filters:
- type: last-usage
attrs:
- type: value
key: KeyLastUsage.Operation
value: Decrypt
- type: value
key: TrackingStartDate
value_type: age
op: lte
value: 90
properties:
attrs:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
- additional_properties: false
properties:
and:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
or:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
- additional_properties: false
properties:
not:
items:
anyOf:
- $ref: '#/definitions/filters/value'
- $ref: '#/definitions/filters/valuekv'
type: array
type: object
type: array
count:
type: number
count_op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
- mod
type:
enum:
- last-usage
required:
- type
Permissions - kms:GetKeyLastUsage
Actions
remove-statements
Action to remove policy statements from KMS
- example:
policies:
- name: kms-key-cross-account
resource: kms-key
filters:
- type: cross-account
actions:
- type: remove-statements
statement_ids: matched
properties:
statement_ids:
oneOf:
- enum:
- matched
- '*'
- items:
type: string
type: array
type:
enum:
- remove-statements
required:
- statement_ids
- type
Permissions - kms:GetKeyPolicy, kms:PutKeyPolicy
rename-tag
Rename an existing tag key to a new value.
- example:
rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.
policies: - name: rename-tags-example resource: aws.log-group filters: - or: - "tag:Bap": present - "tag:Application": present actions: - type: rename-tag old_keys: [Application, Bap] new_key: App
properties:
new_key:
type: string
old_key:
type: string
old_keys:
items:
type: string
type: array
type:
enum:
- rename-tag
required:
- type
Permissions - tag:TagResources, tag:UntagResources
schedule-deletion
Schedule KMS key deletion
If the number of days is not specified, the default value of 30 days is used. The number of days must be between 7 and 30.
- example:
policies:
- name: delete-tagged-keys
resource: kms-key
filters:
- type: value
key: tag:DeleteAfter
op: ge
value_type: age # age is a special value type that will be converted to a timestamp
value: 0
actions:
- type: schedule-deletion
days: 7
properties:
days:
maximum: 30
minimum: 7
type: integer
type:
enum:
- schedule-deletion
required:
- type
Permissions - kms:ScheduleKeyDeletion
set-rotation
Toggle KMS key rotation
- example:
policies:
- name: enable-cmk-rotation
resource: kms-key
filters:
- type: key-rotation-status
key: KeyRotationEnabled
value: False
actions:
- type: set-rotation
state: True
properties:
state:
type: boolean
type:
enum:
- set-rotation
required:
- type
Permissions - kms:EnableKeyRotation