Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on an AWS KMS
query {
queryawsKms {
id
accountId
arn
region
description
keyRotationEnabled
usage
policy {
id
}
enabled
keyState
customerMasterKeySpec
creationDate
keyManager
origin
deletionDate
validTo
tags {
id
key
value
}
lambda {
arn
}
cloudtrail {
arn
}
redshiftCluster {
arn
}
sns {
arn
}
eksCluster {
arn
}
}
}
Get data for a single AWS KMS key that you know the ID or arn for:
query {
getawsKms(id: "12345") {
arn
}
}
query {
getawsKms(
arn: "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
) {
arn
}
}
Get data for all of the KMS keys in a certain AWS account:
query {
queryawsKms(filter: { accountId: { eq: "12345" } }) {
arn
}
}
Get data for all of the KMS keys that are NOT in a certain AWS account:
query {
queryawsKms(filter: { not: { accountId: { eq: "12345" } } }) {
arn
}
}
Get data for all of the KMS keys that have a connected cloudtrail:
query {
queryawsKms(filter: { has: cloudtrail }) {
arn
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the KMS keys that have cloudtrail instances AND lambda instances connected to them OR that do not have sns instances connected to them. Note that you can use has, and, not, or completely independently of each other:
query {
queryawsKms(
filter: { has: cloudtrail, and: { has: lambda }, or: { not: { has: sns } } }
) {
arn
}
}
You may also filter using a regex when filtering on a string field like, description if you want to look for a value that matches say, important:
query {
queryawsKms(filter: { description: { regexp: "/.*important*/" } }) {
arn
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryawsKms(order: { desc: creationDate }) {
arn
}
}
Only select and return the first two KMS keys that are found:
query {
queryawsKms(first: 2, order: { desc: creationDate }) {
arn
}
}
Only select and return the first two KMS keys that are found, but offset by one so keys two & three are returned:
query {
queryawsKms(first: 2, order: { desc: creationDate }, offset: 1) {
arn
}
}
Count the number KMS keys across all scanned AWS accounts:
query {
aggregateawsKms {
count
}
}
Count the number of KMS keys in a single account. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregateawsKms(filter: { accountId: { eq: "12345" } }) {
count
}
}
Find all of the KMS keys that are in the us-east-1 region across all your accounts:
query {
queryawsKms(filter: { region: { eq: "us-east-1" } }) {
arn
}
}
Find all of the KMS keys that have a tag of Environment:Production for a single AWS Account:
query {
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
kms(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
With CloudGraph you can run multiple queries at the same time so you can combine the above two queries if you like:
query {
queryawsKms(filter: { region: { eq: "us-east-1" } }) {
arn
}
queryawsTag(
filter: { key: { eq: "Environment" }, value: { eq: "Production" } }
) {
kms(filter: { accountId: { eq: "12345" } }) {
arn
}
}
}
Putting it all together; get all data for all KMS keys across all regions for all scanned AWS accounts in a single query. For the purposes of this example we will only get direct children of the keys but if you want to it's easy to go from say, kms -> lambda -> vpc ...etc:
query {
queryawsKms {
id
accountId
arn
region
description
keyRotationEnabled
usage
policy{
id
}
enabled
keyState
customerMasterKeySpec
tags {
id
key
value
}
creationDate
keyManager
origin
deletionDate
validTo
cloudtrail {
id
cgId
accountId
arn
name
region
s3BucketName
s3KeyPrefix
includeGlobalServiceEvents
isMultiRegionTrail
homeRegion
logFileValidationEnabled
cloudWatchLogsLogGroupArn
cloudWatchLogsRoleArn
kmsKeyId
hasCustomEventSelectors
hasInsightSelectors
isOrganizationTrail
tags {
id
key
value
}
s3 {
arn
}
sns {
arn
}
kms {
arn
}
}
redshiftCluster {
id
accountId
arn
allowVersionUpgrade
automatedSnapshotRetentionPeriod
availabilityZone
clusterAvailabilityStatus
clusterCreateTime
clusterRevisionNumber
clusterStatus
clusterSubnetGroupName
clusterVersion
dBName
encrypted
enhancedVpcRouting
manualSnapshotRetentionPeriod
masterUsername
modifyStatus
nodeType
numberOfNodes
preferredMaintenanceWindow
publiclyAccessible
tags {
id
key
value
}
kms {
arn
}
vpc {
arn
}
}
sns {
id
accountId
arn
policy{
id
}
displayName
deliveryPolicy
subscriptions {
id
arn
endpoint
protocol
}
tags {
id
key
value
}
cloudtrail {
arn
}
kms {
arn
}
}
lambda {
id
accountId
arn
region
description
handler
kmsKeyArn
lastModified
memorySize
reservedConcurrentExecutions
role
runtime
sourceCodeSize
timeout
tracingConfig
version
environmentVariables {
id
key
value
}
tags {
id
key
value
}
kms {
arn
}
securityGroups {
arn
}
subnet {
arn
}
vpc {
arn
}
cognitoUserPool {
arn
}
}
eksCluster {
id
accountId
arn
name
createdAt
version
endpoint
status
clientRequestToken
platformVersion
encryptionConfig {
id
resources
provider {
keyArn
}
}
certificateAuthority {
data
}
logging {
clusterLogging {
id
types
enabled
}
}
identity {
oidc {
issuer
}
}
resourcesVpcConfig {
subnetIds
securityGroupIds
clusterSecurityGroupId
vpcId
endpointPublicAccess
endpointPrivateAccess
publicAccessCidrs
}
kubernetesNetworkConfig {
serviceIpv4Cidr
}
tags {
id
key
value
}
iamRoles {
arn
}
kms {
arn
}
securityGroups {
arn
}
subnet {
arn
}
vpc {
arn
}
}
}
}
