I didn't think you could check the rotated timestamps in the AWS CLI.
I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.
How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here. https://docs.aws.amazon.com/kms/latest/developerguide/ct-rotatekey.html
With AWS CLI, it would look like this.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
- Accepted Answerasked 7 years ago
- asked a year ago
- Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
- EXPERTpublished 9 months ago
- EXPERTpublished a year ago
The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?
If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.