Knowledge BasePanther.comRelease NotesDemo Request
Search…
Overview
Quick Start
Data Sources & Transports
Writing Detections
Cloud Security Scanning
Cloud Resource Attributes
AWS
ACM Certificate
CloudFormation Stack
CloudWatch Log Group
CloudTrail
CloudTrail Meta
Config Recorder
Config Recorder Meta
DynamoDB Table
EC2 AMI
EC2 Instance
EC2 Network ACL
EC2 SecurityGroup
EC2 Volume
EC2 VPC
ECS Cluster
EKS Cluster
ELBV2 Application Load Balancer
GuardDuty Detector
GuardDuty Detector Meta
IAM Group
IAM Policy
IAM Role
IAM Root User
IAM User
KMS Key
Lambda Function
Password Policy
RDS Instance
Redshift Cluster
S3 Bucket
WAF Web ACL
Destinations
Data Analytics
Enrichment (Beta)
System Configuration
Panther API (Beta)
Guides
Help
Powered By GitBook
KMS Key
Key Management Service (KMS) Key

Resource Type

AWS.KMS.Key

Resource ID Format

For KMS Keys, the resource ID is the ARN.
arn:aws:kms:us-west-2:123456789012:key/1

Background

KMS is a service to create and manage encryption keys for across a wide range of AWS services and within your applications.

Fields

Field
Type
Description
KeyRotationEnabled
Bool
If key rotation is enabled for this KMS key
Policy
String
A JSON policy document indicating what has access to this key

Example

{
"AccountId": "123456789012",
"Arn": "arn:aws:kms:us-west-2:123456789012:key/1",
"CloudHsmClusterId": null,
"CustomKeyStoreId": null,
"DeletionDate": null,
"Description": "Default master key that protects my ACM private keys when no other key is defined",
"Enabled": true,
"ExpirationModel": null,
"Id": "1",
"KeyManager": "AWS",
"KeyRotationEnabled": null,
"KeyState": "Enabled",
"KeyUsage": "ENCRYPT_DECRYPT",
"Origin": "AWS_KMS",
"Policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"auto-acm-3\",\n \"Statement\" : [ {\n \"Sid\" : \"Allow creation of decryption grants\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : \"Decrypt\"\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allow creation of encryption grant\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:CreateGrant\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\",\n \"kms:ViaService\" : \"acm.us-east-1.amazonaws.com\"\n },\n \"ForAllValues:StringEquals\" : {\n \"kms:GrantOperations\" : [ \"Encrypt\", \"ReEncryptFrom\", \"ReEncryptTo\" ]\n },\n \"Bool\" : {\n \"kms:GrantIsForAWSResource\" : \"true\"\n }\n }\n }, {\n \"Sid\" : \"Allowed operations for the key owner\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : [ \"kms:DescribeKey\", \"kms:ListGrants\", \"kms:RevokeGrant\", \"kms:GetKeyPolicy\" ],\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"StringEquals\" : {\n \"kms:CallerAccount\" : \"123456789012\"\n }\n }\n }, {\n \"Sid\" : \"Deny re-encryption to any other key\",\n \"Effect\" : \"Deny\",\n \"Principal\" : {\n \"AWS\" : \"*\"\n },\n \"Action\" : \"kms:ReEncrypt*\",\n \"Resource\" : \"*\",\n \"Condition\" : {\n \"Bool\" : {\n \"kms:ReEncryptOnSameKey\" : \"false\"\n }\n }\n } ]\n}",
"Region": "us-west-2",
"ResourceId": "arn:aws:kms:us-west-2:123456789012:key/1",
"ResourceType": "AWS.KMS.Key",
"Tags": null,
"TimeCreated": "2019-01-01T00:00:00.000Z",
"ValidTo": null
}
Previous
IAM User
Next
Lambda Function
Last modified 1yr ago
Copy link
Outline
Resource Type
Resource ID Format
Background
Fields
Example