Skip to content

Collector Configuration Manual for "AWS-KMS"

Before reading this article, please read the following first:

Before using this collector, you must install the 'Integration Core Package' and its corresponding third-party dependency packages

1. Configuration Structure

The configuration structure of this collector is as follows:

Field Type Required Description
regions list Required List of regions to collect data from
regions[#] str Required Region ID. For example: 'cn-north-1'
Refer to the appendix for the complete list

2. Configuration Example

Collecting instance data from the Beijing region

Python
1
2
3
collector_configs = {
    'regions': ['cn-north-1' ]
}

Optional Configuration Filters

This collector script supports user-defined filters, allowing users to filter target resources by object properties. The filter function returns True or False.

  • True: The target resource needs to be collected.
  • False: The target resource does not need to be collected.

Supported object properties for filtering:

Property Description
KeyId key ID
Arn arn
Python
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# Example: Enable filters, filter based on KeyId and Arn properties of the object, with the following configuration format:
def filter_instance(instance):
    '''
    Collect instances where Arn is xxx and Arn is xxx
    '''
    # return True
    key_id = instance['KeyId']
    arn = instance['Arn']
    if key_id in ['xxx'] and arn in ['xxx']:
        return True
    return False


@DFF.API('AWS-KMS Collection', timeout=3600, fixed_crontab='* * * * *')
def run():
    Runner(main.DataCollector(account, collector_configs, filters=[filter_instance])).run()

3. Data Reporting Format

After the data is synchronized successfully, it can be viewed in the {{( brand_name )}} "Infrastructure - Resource Catalog".

Example of reported data:

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
{
  "measurement": "aws_kms",
  "tags": {
    "AWSAccountId": "2946xxxx",
    "Arn"         : "arn:aws-cn:kms:cn-northwest-1:xxxx",
    "Enabled"     : "true",
    "KeyId"       : "7293addb-xxxx",
    "KeyManager"  : "AWS",
    "KeySpec"     : "SYMMETRIC_DEFAULT",
    "KeyState"    : "Enabled",
    "KeyUsage"    : "ENCRYPT_DECRYPT",
    "MultiRegion" : "false",
    "Origin"      : "AWS_KMS",
    "name"        : "7293addb-xxxx"
  },
  "fields": {
    "CreationDate": "2022-09-01T16:24:26.768000+08:00",
    "Description" : "Default key that protects my RDS database volumes when no other key is defined",
    "message"     : "{Instance JSON Data}"
  }
}

Fields in tags and fields may change with subsequent updates.

4. IAM Policy Permissions

If the user collects resources using an IAM role, certain operation permissions need to be enabled.

This collector requires the following permissions:

kms:ListKeys

kms:DescribeKey

X. Appendix

Refer to the official AWS documentation: