Reports APIs
CCKM allows you to create key visibility reports based on the factors such as key activities, which applications are using the keys, and reconciliation activities between CCKM and Cloud Service. The AWS reports are categorized as:
Combined Key Activity Reconciliation Report: contains details about reconciliation activities between CCKM and Cloud Service
Key Activity Report: Contains details of who, what, and when accessed keys across PaaS.
Key Aging Report: Contains details about the key owner and key expiry.
Key Service Usage Report: Contains details of application who consumed keys across IaaS/PaaS/SaaS.
Note
The AWS Report feature is in Beta phase.
Prerequisites
For generating CCKM reports, logs are fetched from AWS using the CloudTail and CloudWatch services. You need to configure these services on the AWS console. This includes specifying trail name, storage location, log group name, IAM role, and event types.
Attach the following policy to the IAM role linked with the log group:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DescribeLogGroups",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
After the prerequisites are fulfilled, use AWS Reports APIs to perform the following tasks:
Generating Report Jobs
Use the post /v1/cckm/aws/report-jobs API to generate the report jobs.
Syntax
curl -k '<IP>/api/v1/cckm/aws/report-jobs' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n "start_time": "<start time>",\n "end_time": "<end time>",\n "report_type": "<report type>",\n "cloud_watch_params": [<cloud parameters>]\n}' --compressed
Request Parameters
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
| cloud_watch_params | array of JSONs | Cloud watch parameters such as kms, region, and log group name. Refer to Cloud Watch Parameters for details. |
| end_time | string | End time for the report. Default end time is the time when the call is initiated. |
| report_type | string | Type of the report to be generated. Possible types are: • service-report • key-report • reconciliation-report • key aging report The default report type is key report. |
| start_time | string | Start time from when the report is to be generated. Default start time is end_time-24hrs. |
Cloud Watch Parameters
| Parameter | Type | Description |
|---|---|---|
| kms | string | ID or name of the KMS. |
| log_group_name | string | Log group name. |
| region | string | Region name. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/report-jobs' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5ZDJiYmYxNC0zMDg1LTQ5YjAtYTY4MC1hMDQ5ODgyYjIwNDQiLCJzdWIiOiJsb2NhbHxhNDk0MmY1OS1mMGUxLTQ1ZWQtYWUxNS1kZGM3YWZhZDA4NzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNWU3MDBjY2UtMTRmYS00ZTVjLWI0YjMtNWQ4ZmE3ODgxYmI3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjAxZDM2ZTY3LTI5NWQtNDNjZC05NDExLTk0OTdkYjQzMzQ4MyIsImlhdCI6MTU5NjAxMzM0OCwiZXhwIjoxNTk2MDEzNjQ4fQ.7jbUbvoZr9dZ8Yf1NmDUTw3jhq-XDzSHJzN-vQeYcbo' -H 'Content-Type: application/json' --data-binary $'{\n "start_time": "2020-06-23T10:56:51.487287Z",\n "end_time": "2020-07-23T10:56:51.487287Z",\n "report_type": "service-report",\n "cloud_watch_params": [{\n "kms": "kms",\n "log_group_name": "logGroupName",\n "region": "us-east-1"\n }]\n}' --compressed
Example Response
{
"id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"uri": "kylo:kylo:cckm:reports:45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:02:29.762632318Z",
"updatedAt": "2020-07-29T09:02:29.774904319Z",
"overall_status": "in progress",
"abort": false,
"kms": [
"kms"
],
"log_groups": [
"logGroupName"
],
"regions": [
"us-east-1"
],
"report_type": "service-report"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Report Job Status
Use the get /v1/cckm/aws/report-jobs API to view the list of updated report status. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/report-jobs?skip=0&limit=10' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | Internal ID of report. |
| overall_status | string | Overall status of report. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in skip parameter) will be displayed in the output. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/report-jobs?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5ZDJiYmYxNC0zMDg1LTQ5YjAtYTY4MC1hMDQ5ODgyYjIwNDQiLCJzdWIiOiJsb2NhbHxhNDk0MmY1OS1mMGUxLTQ1ZWQtYWUxNS1kZGM3YWZhZDA4NzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNWU3MDBjY2UtMTRmYS00ZTVjLWI0YjMtNWQ4ZmE3ODgxYmI3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjAxZDM2ZTY3LTI5NWQtNDNjZC05NDExLTk0OTdkYjQzMzQ4MyIsImlhdCI6MTU5NjAxMzM0OCwiZXhwIjoxNTk2MDEzNjQ4fQ.7jbUbvoZr9dZ8Yf1NmDUTw3jhq-XDzSHJzN-vQeYcbo' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 1,
"resources": [
{
"id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"uri": "kylo:kylo:cckm:reports:45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:02:29.762632Z",
"updatedAt": "2020-07-29T09:05:44.861076Z",
"completed_at": "2020-07-29T09:05:44.860944Z",
"overall_status": "completed",
"detailed_status": {
"kms/logGroupName": "completed"
},
"abort": false,
"kms": [
"kms"
],
"log_groups": [
"logGroupName"
],
"regions": [
"us-east-1"
],
"report_type": "service-report"
}
]
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Fetching List of Reports
Use the get /v1/cckm/aws/reports API to view the list of reports. The results can be filtered using the query parameters.
Syntax
curl -k '<IP>/api/v1/cckm/aws/reports?skip=0&limit=10' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Request Query Parameters
| Parameter | Type | Description |
|---|---|---|
| id | string | Internal ID of report. |
| report_job_id | string | ID of the report job. |
| skip | integer | Number of records to skip. For example, if "skip":5 is specified, the first five records will not be displayed in the output. |
| limit | integer | Numbers of records to display. For example, if "limit":10 is specified, then the next 10 records (after skipping the number of records specified in the skip parameter) will be displayed in the output. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/reports?skip=0&limit=10' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5Mjg1NzViYS1iNzg0LTRkNzgtODhiMS1jNjNiMTY5ZDM1YTciLCJzdWIiOiJsb2NhbHxkMWM1MzM2Ni0xMGNiLTQxMjEtYTM3ZC00MmNhMzlkNzNjZmMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZWZkMDg0ODEtNzI5Yi00MDg4LTg5MmEtNzE5YThjMGQ1N2UyIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImFiM2JhNGNjLTBiNGQtNGIwMy1hZjU3LWJhOTFjMDZmZGNhNSIsImlhdCI6MTU5NjExMDgwNSwiZXhwIjoxNTk2MTExMTA1fQ.h_6rii98avXcRRgZT-0K_HxhKNYDZqk9DWHmg9cPgyQ' --compressed
Example Response
{
"skip": 0,
"limit": 10,
"total": 44201,
"resources": [
{
"id": "0017c868-c8c6-4de4-9662-8b5e77c21458",
"uri": "kylo:kylo:cckm:aws-reports:0017c868-c8c6-4de4-9662-8b5e77c21458",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:05:44.858476Z",
"updatedAt": "2020-07-29T09:05:44.857359Z",
"key_arn": "arn:aws:kms:ap-southeast-2:123456789012:key/1550cb6a-
62d1-4885-bb6c-82567884d664",
"event_time": "2020-07-23T10:18:54Z",
"requesting_service": "aws-sdk-go/1.29.28 (go1.14.6; linux; amd64)",
"origin": "AWS::KMS::Key",
"region": "ap-southeast-2",
"kms": "kms",
"report_job_id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e"
},
{
"id": "207ee356-203a-40a7-bdd7-1ec1df57bb8b",
"uri": "kylo:kylo:cckm:aws-reports:207ee356-203a-40a7-bdd7-1ec1df57bb8b",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:05:44.856086Z",
"updatedAt": "2020-07-29T09:05:44.855007Z",
"key_arn": "arn:aws:kms:ap-southeast-2:123456789012:key/1550cb6a-62d1-
4885-bb6c-82567884d664",
"event_time": "2020-07-23T10:18:54Z",
"requesting_service": "aws-sdk-go/1.29.28 (go1.14.6; linux; amd64)",
"origin": "AWS::KMS::Key",
"region": "ap-southeast-2",
"kms": "kms",
"report_job_id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e"
}
]
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Viewing Details of a Particular Report Job
Use the get /v1/cckm/aws/report-jobs/{id} API to view the details of a report job with a specific ID.
Syntax
curl -k '<IP>/api/v1/cckm/aws/report-jobs/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the report job ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/report-jobs/45bb86e6-5cdb-4aea-87cd-0b5cca38e38e' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5ZDJiYmYxNC0zMDg1LTQ5YjAtYTY4MC1hMDQ5ODgyYjIwNDQiLCJzdWIiOiJsb2NhbHxhNDk0MmY1OS1mMGUxLTQ1ZWQtYWUxNS1kZGM3YWZhZDA4NzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNWU3MDBjY2UtMTRmYS00ZTVjLWI0YjMtNWQ4ZmE3ODgxYmI3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImJmZjI5NDEyLWNmMzMtNDkyMS1hYzEzLWZmM2IzZGIyZWQ1YyIsImlhdCI6MTU5NjAxMzY2MiwiZXhwIjoxNTk2MDEzOTYyfQ.pQ8y9tMSTrBGZ-RYfWAHh6JTFp7GJXMDL10UFGScJQU' --compressed
Example Response
{
"id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"uri": "kylo:kylo:cckm:reports:45bb86e6-5cdb-4aea-87cd-0b5cca38e38e",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:02:29.762632Z",
"updatedAt": "2020-07-29T09:05:44.861076Z",
"completed_at": "2020-07-29T09:05:44.860944Z",
"overall_status": "completed",
"detailed_status": {
"kms/logGroupName": "completed"
},
"abort": false,
"kms": [
"kms"
],
"log_groups": [
"logGroupName"
],
"regions": [
"us-east-1"
],
"report_type": "service-report"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
Deleting Report Job from CCKM
Use the delete /v1/cckm/aws/report-jobs/{id} API to delete job and its AWS report from the CCKM.
Syntax
curl -k '<IP>/api/v1/cckm/aws/report-jobs/{id}' -X DELETE -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the report job ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/report-jobs/45bb86e6-5cdb-4aea-87cd-0b5cca38e38e' -X DELETE -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5ZDJiYmYxNC0zMDg1LTQ5YjAtYTY4MC1hMDQ5ODgyYjIwNDQiLCJzdWIiOiJsb2NhbHxhNDk0MmY1OS1mMGUxLTQ1ZWQtYWUxNS1kZGM3YWZhZDA4NzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNWU3MDBjY2UtMTRmYS00ZTVjLWI0YjMtNWQ4ZmE3ODgxYmI3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImJmZjI5NDEyLWNmMzMtNDkyMS1hYzEzLWZmM2IzZGIyZWQ1YyIsImlhdCI6MTU5NjAxMzY2MiwiZXhwIjoxNTk2MDEzOTYyfQ.pQ8y9tMSTrBGZ-RYfWAHh6JTFp7GJXMDL10UFGScJQU' --compressed
Example Response
{
"status": 204
}
Viewing Details of a Particular Report
Use the get /v1/cckm/aws/reports/{id} API to view the details of report with a specific id.
Syntax
curl -k '<IP>/api/v1/cckm/aws/reports/{id}' -H 'Authorization: Bearer AUTHTOKEN' --compressed
Here, {id} represents the report ID.
Request Parameter
| Parameter | Type | Description |
|---|---|---|
| AUTHTOKEN | string | Authorization token. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/aws/reports/0017c868-c8c6-4de4-9662-8b5e77c21458' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiI5ZDJiYmYxNC0zMDg1LTQ5YjAtYTY4MC1hMDQ5ODgyYjIwNDQiLCJzdWIiOiJsb2NhbHxhNDk0MmY1OS1mMGUxLTQ1ZWQtYWUxNS1kZGM3YWZhZDA4NzYiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiNWU3MDBjY2UtMTRmYS00ZTVjLWI0YjMtNWQ4ZmE3ODgxYmI3Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImJmZjI5NDEyLWNmMzMtNDkyMS1hYzEzLWZmM2IzZGIyZWQ1YyIsImlhdCI6MTU5NjAxMzY2MiwiZXhwIjoxNTk2MDEzOTYyfQ.pQ8y9tMSTrBGZ-RYfWAHh6JTFp7GJXMDL10UFGScJQU' --compressed
Example Response
{
"id": "0017c868-c8c6-4de4-9662-8b5e77c21458",
"uri": "kylo:kylo:cckm:aws-reports:0017c868-c8c6-4de4-9662-8b5e77c21458",
"account": "kylo:kylo:admin:accounts:kylo",
"application": "ncryptify:gemalto:admin:apps:kylo",
"devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
"createdAt": "2020-07-29T09:05:44.858476Z",
"updatedAt": "2020-07-29T09:05:44.857359Z",
"key_arn": "arn:aws:kms:ap-southeast-2:123456789012:key/1550cb6a-62d1-4885-bb6c-
82567884d664",
"event_time": "2020-07-23T10:18:54Z",
"requesting_service": "aws-sdk-go/1.29.28 (go1.14.6; linux; amd64)",
"origin": "AWS::KMS::Key",
"region": "ap-southeast-2",
"kms": "kms",
"report_job_id": "45bb86e6-5cdb-4aea-87cd-0b5cca38e38e"
}
Response Codes
| Response Code | Description |
|---|---|
| 2xx | Success |
| 4xx | Client errors |
| 5xx | Server errors |
Refer to HTTP status codes for details.
