Skip to content

Collector "AWS-KMS" Configuration Manual

Before reading this document, please read:

Tip

Before using this collector, you must install the "Integration Core Package" and its accompanying third-party dependencies.

1. Configuration Structure

The configuration structure of this collector is as follows:

Field Type Required Description
regions list Required List of regions to collect data from
regions[#] str Required Region ID. Example: 'cn-north-1'
See appendix for the full list

2. Configuration Example

Collect instance data from the Beijing region

collector_configs = {
    'regions': ['cn-north-1' ]
}

Configuration Filter (Optional)

This collector script supports custom filters, allowing users to target resources based on object attributes. The filter function returns True or False.

  • True: The target resource should be collected.

  • False: The target resource should not be collected.

Supported object attributes for filtering:

Attribute Description
KeyId key ID
Arn arn 
# Example: Enable filter based on KeyId and Arn attributes, configure as follows:
def filter_instance(instance):
    '''
    Collect instances where Arn is xxx and Arn is xxx
    '''
    # return True
    key_id = instance['KeyId']
    arn = instance['Arn']
    if key_id in ['xxx'] and arn in ['xxx']:
        return True
    return False


@DFF.API('AWS-KMS Collection', timeout=3600, fixed_crontab='* * * * *')
def run():
    Runner(main.DataCollector(account, collector_configs, filters=[filter_instance])).run()

3. Data Reporting Format

After successful data synchronization, you can view the data in TrueWatch's "Infrastructure - Resource Catalog".

Example of reported data:

{
  "measurement": "aws_kms",
  "tags": {
    "AWSAccountId": "2946xxxx",
    "Arn"         : "arn:aws-cn:kms:cn-northwest-1:xxxx",
    "Enabled"     : "true",
    "KeyId"       : "7293addb-xxxx",
    "KeyManager"  : "AWS",
    "KeySpec"     : "SYMMETRIC_DEFAULT",
    "KeyState"    : "Enabled",
    "KeyUsage"    : "ENCRYPT_DECRYPT",
    "MultiRegion" : "false",
    "Origin"      : "AWS_KMS",
    "name"        : "7293addb-xxxx"
  },
  "fields": {
    "CreationDate": "2022-09-01T16:24:26.768000+08:00",
    "Description" : "Default key that protects my RDS database volumes when no other key is defined",
    "message"     : "{Instance JSON Data}"
  }
}
Note

The fields in tags and fields may change with subsequent updates.

4. IAM Policy Permissions

Note

If users use IAM roles to collect resources, certain operation permissions need to be enabled.

This collector requires the following permissions:

kms:ListKeys

kms:DescribeKey

X. Appendix

Please refer to the official AWS documentation: