Resource Type: GCP > KMS > Crypto Key

Resource Context

Crypto Key is a part of the KMS service.

Each Crypto Key lives under a Key Ring.

Controls

The primary controls for GCP > KMS > Crypto Key are:

• Approved
• CMDB
• Discovery
• Labels
• Policy
• ServiceNow

It is also targeted by these controls:

• GCP > CIS v1 > 1 Identity and Access Management > 1.08 Ensure Encryption keys are rotated within a period of 365 days (Scored)
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.09 - Ensure That Cloud KMS Cryptokeys Are Not Anonymously or Publicly Accessible
• GCP > CIS v2.0 > 1 - Identity and Access Management > 1.10 - Ensure KMS Encryption Keys Are Rotated Within a Period of 90 Days

Category

• Security

In Your Workspace

• Controls by Resource Type report
• Policy Settings by Resource Type report
• Resources by Resource Type report

Developers

Resource Type URI

tmod:@turbot/gcp-kms#/resource/types/cryptoKey

Category URI

tmod:@turbot/turbot#/resource/categories/security

GraphQL

query resource(id: "tmod:@turbot/gcp-kms#/resource/types/cryptoKey") { … }

query resourceActivities(filter: "resourceId:'tmod:@turbot/gcp-kms#/resource/types/cryptoKey'") { … }

mutation createResource(input: { … })

mutation updateResource(input: { … })

CLI

Get Resource

turbot graphql resource --id "tmod:@turbot/gcp-kms#/resource/types/cryptoKey"

Steampipe Query

Get Resource

select * from guardrails_resource where resource_type_uri = 'tmod:@turbot/gcp-kms#/resource/types/cryptoKey';

Get Policy Settings (By Resource ID)

select * from guardrails_policy_setting where filter = 'resourceTypeId:"tmod:@turbot/gcp-kms#/resource/types/cryptoKey"';

Get Resource Notification

select * from guardrails_notification where resource_type_uri = 'tmod:@turbot/gcp-kms#/resource/types/cryptoKey' and notification_type in ('resource_updated', 'resource_created');