11 December,2023 by Rambler
Question: I want to investigate a CloudTrail for events related to a KMS Key using AWS CLI. What are the steps to return the details related to a KMS Key events ?
Answer: The Cloud trail event history is limited to the past 90 days of Events - so as long as the event occured during this window then the details should be available.
If you know the Resource Arn of the KMS key then you can lookup an event via the ResourceName Attribute
Step 1 : Get the ResourceARN for the KMS Key
aws kms describe-key --key-id fxcvbnm-67yh7-hdheujdjdj --query "KeyMetadata.Arn"
"arn:aws:kms:us-west-3:yeueueueueu:key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Step 2: Use the ResourceArn to query the CloudTrail Logs
Note: Contains a list of lookup attributes. Currently the list can contain only one item.
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:kms:us-west-3:yeueueueueu:key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
--example query to look for events for EnableKey
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:kms:us-west-3:yeueueueueu:key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --query "Events[?contains(CloudTrailEvent,'EnableKey')].[*]"
--example query to look for events for Schedule KeyDeletion
aws cloudtrail lookup-events --lookup-attributes AttributeKey=ResourceName,AttributeValue=arn:aws:kms:us-west-3:yeueueueueu:key/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --query "Events[?contains(CloudTrailEvent,'ScheduleKeyDeletion')].[*]"
For more cli commands AWS CLI Cheatsheet - RDS, AWS Backup , DMS, IAM, Security Token Service,KMS,EC2, DynamoDB,VPC,Aurora, Aurora Global,RESOURCEGROUPSTAGGINGAPI,DocumentDB
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |