Key |
Returned |
Description |
keys
complex
|
always |
list of keys
|
|
key_id
str
|
always |
ID of key
Sample:
abcd1234-abcd-1234-5678-ef1234567890
|
|
key_arn
str
|
always |
ARN of key
Sample:
arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890
|
|
key_state
str
|
always |
The state of the key
Sample:
PendingDeletion
|
|
key_usage
str
|
always |
The cryptographic operations for which you can use the key.
Sample:
ENCRYPT_DECRYPT
|
|
origin
str
|
always |
The source of the key's key material. When this value is AWS_KMS , AWS KMS created the key material. When this value is EXTERNAL , the key material was imported or the CMK lacks key material.
Sample:
AWS_KMS
|
|
aws_account_id
str
|
always |
The AWS Account ID that the key belongs to
Sample:
1234567890123
|
|
creation_date
str
|
always |
Date of creation of the key
Sample:
2017-04-18 05:12:08.551000
|
|
description
str
|
always |
Description of the key
Sample:
My Key for Protecting important stuff
|
|
enabled
str
|
always |
Whether the key is enabled. True if KeyState is true.
|
|
aliases
list
|
always |
list of aliases associated with the key
Sample:
['aws/acm', 'aws/ebs']
|
|
tags
dict
|
always |
dictionary of tags applied to the key. Empty when access is denied even if there are tags.
Sample:
{'Name': 'myKey', 'Purpose': 'protecting_stuff'}
|
|
policies
list
|
always |
list of policy documents for the keys. Empty when access is denied even if there are policies.
Sample:
{'Version': '2012-10-17', 'Id': 'auto-ebs-2', 'Statement': [{'Sid': 'Allow access through EBS for all principals in the account that are authorized to use EBS', 'Effect': 'Allow', 'Principal': {'AWS': '*'}, 'Action': ['kms:Encrypt', 'kms:Decrypt', 'kms:ReEncrypt*', 'kms:GenerateDataKey*', 'kms:CreateGrant', 'kms:DescribeKey'], 'Resource': '*', 'Condition': {'StringEquals': {'kms:CallerAccount': '111111111111', 'kms:ViaService': 'ec2.ap-southeast-2.amazonaws.com'}}}, {'Sid': 'Allow direct access to key metadata to the account', 'Effect': 'Allow', 'Principal': {'AWS': 'arn:aws:iam::111111111111:root'}, 'Action': ['kms:Describe*', 'kms:Get*', 'kms:List*', 'kms:RevokeGrant'], 'Resource': '*'}]}
|
|
grants
complex
|
always |
list of grants associated with a key
|
|
|
constraints
dict
|
always |
Sample:
{'encryption_context_equals': {'aws:lambda:_function_arn': 'arn:aws:lambda:ap-southeast-2:012345678912:function:xyz'}}
|
|
|
creation_date
str
|
always |
Date of creation of the grant
Sample:
2017-04-18 05:12:08
|
|
|
grant_id
str
|
always |
The unique ID for the grant
Sample:
abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234
|
|
|
grantee_principal
str
|
always |
The principal that receives the grant's permissions
Sample:
arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
|
|
|
issuing_account
str
|
always |
The AWS account under which the grant was issued
Sample:
arn:aws:iam::01234567890:root
|
|
|
key_id
str
|
always |
The key ARN to which the grant applies.
Sample:
arn:aws:kms:ap-southeast-2:123456789012:key/abcd1234-abcd-1234-5678-ef1234567890
|
|
|
name
str
|
always |
The friendly name that identifies the grant
Sample:
xyz
|
|
|
operations
list
|
always |
The list of operations permitted by the grant
Sample:
['Decrypt', 'RetireGrant']
|
|
|
retiring_principal
str
|
always |
The principal that can retire the grant
Sample:
arn:aws:sts::0123456789012:assumed-role/lambda_xyz/xyz
|