Key Management Service (KMS) is integrated with ActionTrail. In the ActionTrail console, you can query the management events that are generated when you manage KMS resources. ActionTrail can deliver management events to Logstores in Log Service or Object Storage Service (OSS) buckets. This way, you can audit the events in real time and locate the causes of issues.
ActionTrail generates management events when you manage cloud resources by using APIs or the Alibaba Cloud Management Console. The following table describes the management events of KMS that you can query in the ActionTrail console.
| Event name | Description |
| AsymmetricDecrypt | Decrypts data by using an asymmetric customer master key (CMK). |
| AsymmetricEncrypt | Encrypts data by using an asymmetric CMK. |
| AsymmetricSign | Generates a signature by using an asymmetric CMK. |
| AsymmetricVerify | Verifies a signature by using an asymmetric CMK. |
| CancelKeyDeletion | Cancels the deletion of a CMK. |
| CertificatePrivateKeyDecrypt | Decrypts data by using a specified certificate. |
| CertificatePrivateKeySign | Generates a digital signature by using a specified certificate. |
| CertificatePublicKeyEncrypt | Encrypts data by using a specified certificate. |
| CertificatePublicKeyVerify | Verifies a digital signature by using a specified certificate. |
| CheckServiceLinkedRoleForDeleting | Checks whether the service-linked role can be deleted. |
| ConnectKeyStore | Enables a dedicated KMS instance. |
| CreateAlias | Creates an alias for a CMK. |
| CreateApplicationAccessPoint | Creates an application access point (AAP). |
| CreateCertificate | Creates a certificate. |
| CreateCertificateAuthority | Creates a certificate authority (CA). |
| CreateClientKey | Creates a client key for an AAP. |
| CreateKey | Creates a CMK. |
| CreateKeyVersion | Creates a version for a CMK. |
| CreateNetworkRule | Creates a network access rule. |
| CreatePolicy | Creates an access control policy for an AAP. |
| CreateSecret | Creates a secret and stores the secret value in the initial version. |
| Decrypt | Decrypts ciphertext. |
| DeleteAlias | Deletes an alias. |
| DeleteApplicationAccessPoint | Deletes an AAP. |
| DeleteCertificate | Deletes a certificate and the private key and certificate chain of the certificate. |
| DeleteCertificateAuthority | Deletes a CA. |
| DeleteClientKey | Deletes the client key of an AAP. |
| DeleteKeyMaterial | Deletes the imported key material. |
| DeleteNetworkRule | Deletes a network access rule of an AAP. |
| DeletePolicy | Deletes an access control policy of an AAP. |
| DeleteSecret | Deletes a secret. |
| DescribeAccessPoint | Queries the information about an AAP. |
| DescribeAccountKmsStatus | Queries the status of KMS for the current Alibaba Cloud account. |
| DescribeApplicationAccessPoint | Queries the details of an AAP. |
| DescribeCertificate | Queries the information about a certificate. |
| DescribeCertificateAuthority | Queries the CA information. |
| DescribeClusters | Queries the information about a cluster. |
| DescribeDBInstanceNetInfo | Queries the network information of an instance. |
| DescribeKey | Queries the details of a CMK. |
| DescribeKeyStores | Queries the details of a dedicated KMS instance. |
| DescribeKeyVersion | Queries the information about a specified CMK version. |
| DescribeNetworkRule | Queries the details of a network access rule of an AAP. |
| DescribePolicy | Queries the details of an access control policy of an AAP. |
| DescribeRegion | Queries available regions for the current account. |
| DescribeSecret | Queries the metadata of a secret. |
| DescribeService | Queries the key protection capabilities of a region. |
| DisableKey | Disables a specified CMK for encryption and decryption. |
| DisconnectKeyStore | Disconnects a dedicated KMS instance of the Standard edition from a hardware security module (HSM) cluster. |
| doCheckResource | Verifies tag information. |
| doLogicalDeleteResource | Logically deletes a resource. |
| doPhysicalDeleteResource | Physically deletes a resource. |
| EnableKey | Enables a specified CMK for encryption and decryption. |
| Encrypt | Encrypts plaintext by using a symmetric CMK. |
| ExportCertificate | Exports a certificate and the private key of the certificate. |
| ExportDataKey | Encrypts a data key by using a specified public key and exports the data key. |
| GenerateAndExportDataKey | Generates a random data key, encrypts the data key by using a specified CMK and public key, and returns the ciphertext generated by using the CMK and that generated by using the public key. |
| GenerateDataKey | Generates a random data key that is used to locally encrypt data. |
| GenerateDataKeyWithoutPlaintext | Generates a random data key that is used to locally encrypt data. The plaintext of the data key is not returned. |
| GetCertificate | Queries a certificate that is managed by Certificates Manager. |
| GetCertificateAuthorityCertificate | Queries the CAs of certificates that are managed by Certificates Manager. |
| GetCertificateAuthorityCsr | Queries the certificate signing request (CSR) files for certificates that are managed by Certificates Manager. |
| GetIssuedCertificate | Queries the certificate that is issued by a CA. |
| GetParametersForImport | Queries the parameters that are used to import key material for a CMK. |
| GetPublicKey | Queries the public key of an asymmetric CMK. |
| GetRandomPassword | Queries a random password string. |
| GetSecretValue | Queries a secret value. |
| GetConsumerTag | Queries a user tag. |
| ImportCertificate | Imports a certificate. |
| ImportCertificateAuthorityCertificate | Imports the certificate of a CA. |
| ImportEncryptionCertificate | Imports an encryption certificate. |
| ImportKeyMaterial | Imports key material. |
| IssueCertificate | Issues a certificate. |
| ListAccessPoints | Queries AAPs. |
| ListAlias | Queries aliases. |
| ListAliases | Queries all aliases of the current user in the current region. |
| ListAliasesByKeyId | Queries all aliases that are bound to a specified CMK. |
| ListApplicationAccessPoints | Queries AAPs. |
| ListCertificateAuthorities | Queries CAs. |
| ListCertificates | Queries certificates. |
| ListClientKeys | Queries the client keys of a specified AAP. |
| ListKeys | Queries the IDs of all CMKs of the current Alibaba Cloud account in the current region. |
| ListKeyVersions | Queries all key versions of a CMK. |
| ListNetworkRules | Queries the network access rules of an AAP. |
| ListPolicies | Queries the access control policies of an AAP. |
| ListResourceTags | Queries the tags of a CMK. |
| ListSecrets | Queries all secrets of the current user in the current region. |
| ListSecretVersionIds | Queries all versions of a secret. |
| OpenKmsService | Activates KMS for the current Alibaba Cloud account. |
| OpenService | Activates KMS. |
| PutSecretValue | Stores the secret value of a new version into a secret. |
| ReEncrypt | Re-encrypts ciphertext. |
| RefreshAccessPointTokens | Updates the tokens for an AAP. |
| RestoreSecret | Restores a deleted secret. |
| RevokeIssuedCertificate | Revokes an issued certificate. |
| RotateSecret | Proactively rotates a dynamic secret. |
| ScheduleKeyDeletion | Schedules the deletion of a specified CMK. |
| SetDeletionProtection | Enables or disables deletion protection. |
| SetKeyStoreAuditConfig | Configures audit log settings for Dedicated KMS. |
| TagResource | Configures tags for a CMK or secret. |
| UntagResource | Removes a specified tag from a CMK or secret. |
| UpdateAlias | Binds an existing alias to a different CMK ID. |
| UpdateApplicationAccessPoint | Updates the AAP information. |
| UpdateCertificateAuthority | Updates the CA configuration. |
| UpdateCertificateStatus | Updates the status of a certificate. |
| UpdateKeyDescription | Updates the description of a CMK. |
| UpdateKeyStore | Updates the information about a dedicated KMS instance. |
| UpdateNetworkRule | Updates a network access rule of an AAP. |
| UpdatePolicy | Updates an access control policy of an AAP. |
| UpdateRotationPolicy | Updates a key rotation policy. |
| UpdateSecret | Updates the metadata of a secret. |
| UpdateSecretRotationPolicy | Updates the rotation policy for a dynamic secret. |
| UpdateSecretVersionStage | Updates the stage label that marks a secret version. |
| UploadCertificate | Imports a certificate and a certificate chain issued by a CA into Certificates Manager. |