1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
1
I didn't think you could check the rotated timestamps in the AWS CLI.
I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html
How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here.
https://docs.aws.amazon.com/kms/latest/developerguide/ct-rotatekey.html
With AWS CLI, it would look like this.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html#look-up-events-by-attributes
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
Contenus pertinents
- demandé il y a un an
- demandé il y a un an
- demandé il y a un mois
- AWS OFFICIELA mis à jour il y a 5 mois
- AWS OFFICIELA mis à jour il y a un an
- Comment puis-je répertorier les autorisations et les principaux de clé KMS par région dans AWS KMS ?AWS OFFICIELA mis à jour il y a 3 ans
- AWS OFFICIELA mis à jour il y a un an
The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?
If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.
When I run this using boto3, it says