KMS key last rotated timestamp

0

How to I get the KMS key last rotated time stamp using CLI

1 Antwort
1
Akzeptierte Antwort

I didn't think you could check the rotated timestamps in the AWS CLI.

I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html

How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here. https://docs.aws.amazon.com/kms/latest/developerguide/ct-rotatekey.html

With AWS CLI, it would look like this.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html#look-up-events-by-attributes

aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
profile picture
EXPERTE
beantwortet vor 10 Monaten
  • The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?

  • If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.

    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey AttributeKey=ResourceName,AttributeValue=arn:aws:kms:region:AWS Account ID:key/Key ID
    
  • When I run this using boto3, it says

    Unauthorised API call has been made :Region - us-east-1, Service - cloudtrail,Action - LookupEvents
    

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen