blockstorage_block_volume_cmk_encryption_enabledblockstorage_boot_volume_cmk_encryption_enabledcloudguard_enabledcore_default_security_list_allow_icmp_onlycore_instance_encryption_in_transit_enabledcore_instance_legacy_metadata_service_endpoint_disabledcore_network_security_group_restrict_ingress_rdp_allcore_network_security_group_restrict_ingress_ssh_allcore_security_list_restrict_ingress_rdp_allcore_security_list_restrict_ingress_ssh_allcore_subnet_flow_log_enabledevents_rule_notification_cloud_guard_problems_detectedevents_rule_notification_iam_group_changesevents_rule_notification_iam_policy_changesevents_rule_notification_iam_user_changesevents_rule_notification_identity_provider_changesevents_rule_notification_idp_group_mapping_changesevents_rule_notification_network_gateway_changesevents_rule_notification_network_security_list_changesevents_rule_notification_route_table_changesevents_rule_notification_security_list_changesevents_rule_notification_vcn_changesfilestorage_filesystem_cmk_encryption_enabledidentity_administrator_user_with_no_api_keyidentity_auth_token_age_90identity_authentication_password_policy_strong_min_length_14identity_default_tagidentity_iam_administrators_no_update_tenancy_administrators_group_permissionidentity_only_administrators_group_with_manage_all_resources_permission_in_tenancyidentity_tenancy_audit_log_retention_period_365_daysidentity_tenancy_with_one_active_compartmentidentity_user_api_key_age_90identity_user_console_access_mfa_enabledidentity_user_customer_secret_key_age_90identity_user_db_credential_age_90identity_user_valid_emailkms_cmk_rotation_365manual_controlnotification_topic_with_subscriptionobjectstorage_bucket_cmk_encryption_enabledobjectstorage_bucket_public_access_blockedobjectstorage_bucket_versioning_enabledoracle_autonomous_database_not_publicly_accessible
Query: kms_cmk_rotation_365
Usage
powerpipe query oci_compliance.query.kms_cmk_rotation_365Steampipe Tables
SQL
with active_key_table as ( select k.name as key_name, k.id, k.compartment_id, k.vault_name, k.lifecycle_state, k._ctx, k.tenant_id, k.tenant_name, k.region, k.tags, max(v.time_created) as last_version_created_date from oci_kms_key k, oci_kms_key_version v where v.key_id = k.id and v.management_endpoint = k.management_endpoint and v.region = k.region group by key_name, k.region, k.id, k.vault_name, k.lifecycle_state, k.tenant_id, k._ctx, k.compartment_id, k.tenant_name, k.tags)select a.id as resource, case when a.lifecycle_state != 'ENABLED' then 'skip' when last_version_created_date <= (current_date - interval '365' day) then 'alarm' else 'ok' end as status, case when a.lifecycle_state = 'PENDING_DELETION' then a.key_name || ' in ' || a.vault_name || ' vault scheduled for deletion.' when a.lifecycle_state != 'ENABLED' then a.key_name || ' of ' || a.vault_name || ' in ' || lower(a.lifecycle_state) || ' state.' when last_version_created_date <= (current_date - interval '365' day) then a.key_name || ' in ' || a.vault_name || ' vault not rotated since ' || (date(current_timestamp) - date(last_version_created_date)) || ' days.' else a.key_name || ' in ' || a.vault_name || ' vault last rotation age ' || (date(current_timestamp) - date(last_version_created_date)) || ' days.' end as reason , a.region as region, a.tenant_name as tenant , coalesce(c.name, 'root') as compartmentfrom active_key_table a left join oci_identity_compartment c on c.id = a.compartment_id;
Controls
The query is being used by the following controls: