1개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
I didn't think you could check the rotated timestamps in the AWS CLI.
I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html
How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here.
https://docs.aws.amazon.com/kms/latest/developerguide/ct-rotatekey.html
With AWS CLI, it would look like this.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html#look-up-events-by-attributes
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
관련 콘텐츠
AWS 공식업데이트됨 일 년 전- AWS 공식업데이트됨 8달 전
- AWS 공식업데이트됨 일 년 전
The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?
If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.
When I run this using boto3, it says