Output Format

Symmetric Key Scan Results

{
    "type": "symkey",
    "timestamp": "2025-12-15T11:39:49-05:00",
    "urn": "urn:symkey:name:alias/aws/secretsmanager:arn:aws:kms:us-east-1:558162184545:key/4b3daa9e-1474-4629-8f8a-95f2003caf0f",
    "url": "https://console.aws.amazon.com/kms/home?region=us-east-1#/kms/keys/4b3daa9e-1474-4629-8f8a-95f2003caf0f",
    "extra": {
      "account_id": "558162184545",
      "alias": "alias/aws/secretsmanager",
      "arn": "arn:aws:kms:us-east-1:558162184545:key/4b3daa9e-1474-4629-8f8a-95f2003caf0f",
      "cipher_suites": [
        "SYMMETRIC_DEFAULT"
      ],
      "created_date": "2025-10-22T18:29:42Z",
      "cryptographic_algorithm": "AES",
      "cryptographic_length": 256,
      "description": "Default key that protects my Secrets Manager data when no other key is defined",
      "hsm_backed": true,
      "key_id": "4b3daa9e-1474-4629-8f8a-95f2003caf0f",
      "key_manager": "aws",
      "key_spec": "symmetric_default",
      "multi_region": false,
      "name": "alias/aws/secretsmanager",
      "origin": "aws_kms",
      "platform_type": "aws",
      "purpose": "encrypt_decrypt",
      "region": "us-east-1",
      "rotation": {
        "enabled": true,
        "rotation_period_days": 365
      },
      "status": "enabled"
    }
}

Public Key Scan Results

{
   "type": "pubkey",
    "timestamp": "2025-12-15T11:39:50-05:00",
    "urn": "urn:pubkey:sha256:b05aaba4c71cb0acd32f4c24bf16ea328bafd1da265824d6ff168113cf12859d",
    "url": "https://console.aws.amazon.com/kms/home?region=us-east-1#/kms/keys/4fa5d66e-2c5f-4504-a3fe-30545631eeb6",
    "extra": {
      "account_id": "558162184545",
      "alias": "",
      "arn": "arn:aws:kms:us-east-1:558162184545:key/4fa5d66e-2c5f-4504-a3fe-30545631eeb6",
      "created_date": "2025-10-22T18:34:56Z",
      "description": "Test RSA 4096 asymmetric signing key for high security",
      "hsm_protected": true,
      "key_id": "4fa5d66e-2c5f-4504-a3fe-30545631eeb6",
      "key_manager": "customer",
      "multi_region": false,
      "name": "4fa5d66e-2c5f-4504-a3fe-30545631eeb6",
      "origin": "aws_kms",
      "platform_type": "aws",
      "purpose": "sign_verify",
      "region": "us-east-1",
      "status": "enabled"
    },
    "pubkey_pem": "MIICIjANB.."
}

URN Generation:

  • For symmetric and HMAC keys: Generated using key name and ARN
  • For asymmetric keys: Generated using hash of the public key PEM body for uniqueness

Error Output: If an error occurs, the plugin outputs a structured JSON object with error details under data.errorDetails and a summary message in data.errorMessage.

Field Descriptions

  • type: "symkey" for symmetric/HMAC keys, "pubkey" for asymmetric keys
  • timestamp: RFC3339 timestamp of when the scan was performed (e.g., "2024-08-07T10:30:00-04:00"). May include a timezone offset depending on system configuration.
  • urn: Unique identifier generated based on key type and content
  • url: Direct link to key in AWS Console
  • pubkey_pem: RFC 7468 compliant PEM-encoded public key (base64 body without headers/footers/newlines) - asymmetric keys only
  • extra: Additional deployment-specific metadata from KMS with standardized snake_case field names (see Extra Fields section below)

Extra Fields

The extra object contains AWS-specific metadata about the key. The fields differ based on key type:

Symmetric and HMAC Key Extra Fields

For symmetric and HMAC keys (type: "symkey"), the following fields are included:

  • platform_type (string): Always "aws" indicating the key is from AWS KMS
  • name (string): Human-readable key name (alias if available, otherwise key ID)
  • status (string): Current key state (values: "enabled", "disabled", "pending_deletion", "pending_import", "unavailable")
  • region (string): AWS region where the key resides (e.g., "us-east-1")
  • account_id (string): AWS account ID extracted from the key ARN
  • key_id (string): Unique identifier for the key (UUID format)
  • alias (string): Key alias name (e.g., "alias/aws/s3") or empty string if no alias exists
  • key_spec (string): Key specification indicating algorithm (values: "symmetric_default", "hmac_224", "hmac_256", "hmac_384", "hmac_512")
  • description (string): User-provided description of the key
  • created_date (string): ISO 8601 timestamp of when the key was created (e.g., "2025-10-22T18:29:42Z")
  • arn (string): Full AWS ARN of the key (e.g., "arn:aws:kms:us-east-1:123456789012:key/abcd-1234")
  • purpose (string): Key usage purpose (values: "encrypt_decrypt", "generate_verify_mac")
  • origin (string): Key origin source (values: "aws_kms", "external", "aws_cloudhsm", "external_key_store")
  • hsm_backed (boolean): Whether the key is backed by a Hardware Security Module (all AWS KMS keys are HSM-backed)
  • cipher_suites (array of strings): Supported encryption algorithms (e.g., ["SYMMETRIC_DEFAULT"], ["HMAC_SHA_256"])
  • cryptographic_algorithm (string): Primary cryptographic algorithm (e.g., "AES", "HMAC")
  • cryptographic_length (integer): Key length in bits (e.g., 256, 384, 512)
  • key_manager (string): Entity managing the key (values: "aws", "customer")
  • multi_region (boolean): Whether the key is replicated across multiple regions
  • rotation (object): Key rotation information
    • enabled (boolean): Whether automatic key rotation is enabled
    • rotation_period_days (integer): Rotation period in days (only present when rotation is enabled)

Asymmetric Key Extra Fields (Public Keys)

For asymmetric keys (type: "pubkey"), the following fields are included:

  • platform_type (string): Always "aws" indicating the key is from AWS KMS
  • created_date (string): ISO 8601 timestamp of when the key was created
  • status (string): Current key state (values: "enabled", "disabled", "pending_deletion", "pending_import", "unavailable")
  • name (string): Human-readable key name (alias if available, otherwise key ID)
  • origin (string): Key origin source (values: "aws_kms", "external", "aws_cloudhsm", "external_key_store")
  • purpose (string): Key usage purpose (values: "sign_verify", "encrypt_decrypt")
  • hsm_protected (boolean): Whether the key is protected by a Hardware Security Module
  • alias (string): Key alias name or empty string if no alias exists
  • arn (string): Full AWS ARN of the key
  • description (string): User-provided description of the key
  • key_id (string): Unique identifier for the key (UUID format)
  • key_manager (string): Entity managing the key (values: "aws", "customer")
  • region (string): AWS region where the key resides
  • multi_region (boolean): Whether the key is replicated across multiple regions
  • account_id (string): AWS account ID extracted from the key ARN (only included if successfully extracted)

Note: For asymmetric keys, intrinsic cryptographic properties like key_spec, cipher_suites, cryptographic_algorithm, cryptographic_length, and cryptographic_curve are NOT included in the extras as they can be derived from the pubkey_pem field. Rotation is also not applicable to asymmetric keys.

Note: Timestamps in output may include a timezone offset (e.g., -04:00) or Z for UTC, depending on the system time configuration where the plugin or mock server is run.