KMS
Ingests AWS Key Management Service (KMS) resources including encryption keys, aliases, and grants for security monitoring and compliance.
Details
The AWS KMS input collects comprehensive information about your AWS KMS encryption keys and related resources. It provides insights into your encryption key management, usage patterns, and access controls to help you monitor and analyze your data encryption posture. The input retrieves detailed information about KMS keys, including metadata, policies, rotation status, and grants to ensure proper key lifecycle management and compliance monitoring.
Requirements
- AWS KMS must be configured in your AWS account with existing keys.
- IAM Role Assumption / Static Credentials
- Example permission to attach to the role/user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:ListKeys",
"kms:DescribeKey",
"kms:ListAliases",
"kms:ListGrants",
"kms:GetKeyPolicy",
"kms:ListKeyPolicies",
"kms:GetKeyRotationStatus"
],
"Resource": "*"
}
]
}
Configuration
Settings
| Setting | Type | Required | Default | Description |
|---|---|---|---|---|
| Role ARN | string | Yes | - | The ARN of the role to assume to access the keys/aliases/grants |
| Cron | string | Yes | - | Cron expression for scheduling the input |
| Region | array | Yes | - | Filter the keys/aliases/grants list by region |
| KMS Type | string | Yes | - | Type of KMS resources to collect (KEYS, ALIASES, GRANTS) |
Secrets (Static Credentials Only)
| Setting | Type | Required | Description |
|---|---|---|---|
| Access Key | string | Conditional | AWS Access Key ID |
| Secret Key | string | Conditional | AWS Secret Access Key |
⚠️ Authentication: Choose either Role ARN (recommended) or static credentials. See AWS Authentication Guide for setup instructions.