1 Answer
- Newest
- Most votes
- Most comments
1
I didn't think you could check the rotated timestamps in the AWS CLI.
I thought I could get it with "get-key-rotation-status", but the documentation does not provide timestamp information.
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/kms/get-key-rotation-status.html
How about checking CloudTrail events instead?
The "RotateKey" event is recorded in CloudTrail, so you can check the time of execution from here.
https://docs.aws.amazon.com/kms/latest/developerguide/ct-rotatekey.html
With AWS CLI, it would look like this.
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html#look-up-events-by-attributes
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=RotateKey
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 10 months ago
The cloudtrail command was the right direction, but the command you provided as an example gets all RotateKey events. What should I do if I want to get it for a particular key?
If the ARN of the KMS key is known, it can be narrowed down by adding "--lookup-attributes" as follows. In the following command, replace "arn:aws:kms:region:AWS Account ID:key/Key ID" with the ARN of your KMS key.
When I run this using boto3, it says