All Products
Search
Document Center

Key Management Service:Audit events of KMS

Last Updated:Aug 29, 2024

Key Management Service (KMS) is integrated with ActionTrail. In the ActionTrail console, you can query the management events that are generated when you manage KMS resources. KMS can deliver management events to Logstores in Simple Log Service or Object Storage Service (OSS) buckets. This way, you can audit the events in real time and locate the causes of issues.

KMS generates management events when you manage cloud resources by using APIs or the Alibaba Cloud Management Console. The following table describes the management events of KMS that you can query in the ActionTrail console.

Event name

Description

AsymmetricDecrypt

Decrypts data by using an asymmetric key.

AsymmetricEncrypt

Encrypts data by using an asymmetric key.

AsymmetricSign

Generates a signature by using an asymmetric key.

AsymmetricVerify

Verifies a signature by using an asymmetric CMK.

CancelKeyDeletion

Cancels the deletion of a key.

CertificatePrivateKeyDecrypt

Decrypts data by using a certificate.

CertificatePrivateKeySign

Generates a digital signature by using a certificate.

CertificatePublicKeyEncrypt

Encrypts data by using a certificate.

CertificatePublicKeyVerify

Verifies a digital signature by using a certificate.

CheckServiceLinkedRoleForDeleting

Checks whether a service-linked role can be deleted.

ConnectKeyStore

Enables a KMS instance.

ConnectKmsInstance

Enables a KMS instance.

CreateAlias

Creates an alias for a key.

CreateApplicationAccessPoint

Creates an application access point (AAP).

CreateCertificate

Creates a certificate.

CreateCertificateAuthority

Create a certificate authority (CA).

CreateClientKey

Creates a client key for an AAP.

CreateKey

Creates a key.

CreateKeyVersion

Creates a version for a key.

CreateNetworkRule

Creates a network access rule.

CreatePolicy

Creates an access control policy for an AAP.

CreateSecret

Creates a secret and stores the secret value in the initial version.

CreateKmsInstanceImageUpgradeTask

Creates an image upgrade task for a KMS instance.

CancelKmsInstanceImageUpgradeTask

Cancels an image upgrade task for a KMS instance.

RollbackKmsInstanceImageUpgradeTask

Rolls back an image upgrade task of a KMS instance.

DescribeKmsInstanceImageUpgradeTask

Queries the details of an image upgrade task of a KMS instance.

Decrypt

Decrypts ciphertext.

DeleteAlias

Deletes an alias.

DeleteApplicationAccessPoint

Deletes an AAP.

DeleteCertificate

Deletes a certificate and the private key and certificate chain of the certificate.

DeleteCertificateAuthority

Deletes a CA.

DeleteClientKey

Deletes the client key of an AAP.

DeleteKeyMaterial

Deletes imported key material.

DeleteNetworkRule

Deletes a network access rule of an AAP.

DeletePolicy

Deletes an access control policy of an AAP.

DeleteSecret

Deletes a secret.

DescribeAccessPoint

Queries the information about an AAP.

DescribeAccountKmsStatus

Queries the status of KMS within the current Alibaba Cloud account.

DescribeApplicationAccessPoint

Queries the details of an AAP.

DescribeCertificate

Queries the information about a certificate.

DescribeCertificateAuthority

Queries the CA information.

DescribeClusters

Queries the information about a cluster.

DescribeDBInstanceNetInfo

Queries the network information about an instance.

DescribeKey

Queries the details of a key.

DescribeKeyStores

Queries the details of a KMS instance.

DescribeKeyVersion

Queries the information about a key version.

DescribeNetworkRule

Queries the details of a network access rule of an AAP.

DescribePolicy

Queries the details of an access control policy of an AAP.

DescribeRegion

Queries available regions for the current account.

DescribeSecret

Queries the metadata of a secret.

DescribeService

Queries the key protection capabilities in a region.

DisableKey

Disables a key for encryption and decryption.

DisconnectKeyStore

Disables a KMS instance of the hardware key management type.

doCheckResource

Verifies the information about a tag.

doLogicalDeleteResource

Deletes a resource in a logical manner.

doPhysicalDeleteResource

Deletes a resource in a physical manner.

EnableKey

Enables a key for encryption and decryption.

Encrypt

Encrypts plaintext into ciphertext by using a symmetric key.

ExportCertificate

Exports a certificate and the private key of the certificate.

ExportDataKey

Encrypts a data key by using a public key and exports the data key.

GenerateAndExportDataKey

Generates a random data key, encrypts the data key by using a key and a public key, and then returns the key-encrypted data key ciphertext and the public key-encrypted data key ciphertext.

GenerateDataKey

Generates a random data key that is used to locally encrypt data.

GenerateDataKeyWithoutPlaintext

Generates a random data key that is used to locally encrypt data. The plaintext of the data key is not returned.

GetCertificate

Queries a certificate that is managed by Certificates Manager.

GetCertificateAuthorityCertificate

Queries the CAs of certificates that are managed by Certificates Manager.

GetCertificateAuthorityCsr

Queries the certificate signing request (CSR) files for certificates that are managed by Certificates Manager.

GetClientKey

Queries the information about a client key.

GetIssuedCertificate

Queries the certificate that is issued by a CA.

GetParametersForImport

Queries the parameters that are used for importing key material.

GetPublicKey

Queries the public key of an asymmetric key.

GetRandomPassword

Queries a random password string.

GetSecretValue

Queries a secret value.

GetConsumerTag

Queries a user tag.

GetDKMSMigratingDiagnosis

Checks whether a key can be migrated to KMS 3.0.

GetKmsInstance

Queries the details of a KMS instance.

ImportCertificate

Imports a certificate.

ImportCertificateAuthorityCertificate

Imports the certificate of a CA.

ImportEncryptionCertificate

Imports an encryption certificate.

ImportKeyMaterial

Imports key material.

IssueCertificate

Issues a certificate.

ListAccessPoints

Queries a list of AAPs.

ListAlias

Queries a list of aliases.

ListAliases

Queries all aliases of the current user in the current region.

ListAliasesByKeyId

Queries all aliases that are associated with a key.

ListApplicationAccessPoints

Queries a list of AAPs.

ListCertificateAuthorities

Queries a list of CAs.

ListCertificates

Queries a list of certificates.

ListClientKeys

Queries a list of the client keys of an AAP.

ListKeys

Queries all key IDs of the caller in the current region.

ListKeyVersions

Queries all versions of a key.

ListKmsInstances

Queries a list of KMS instances.

ListNetworkRules

Queries a list of the network access rules of an AAP.

ListPolicies

Queries a list of the access control policies of an AAP.

ListResourceTags

Queries the tags of a key.

ListSecrets

Queries all secrets of the current user in the current region.

ListSecretVersionIds

Queries all versions of a secret.

ListTagResources

Queries the tags of a key or a secret.

OpenKmsService

Activates KMS for the current Alibaba Cloud account.

OpenService

Activates KMS.

PutSecretValue

Stores the secret value of a new version into a secret.

ReEncrypt

Re-encrypts ciphertext.

RefreshAccessPointTokens

Updates the tokens for an AAP.

RestoreSecret

Restores a deleted secret.

RevokeIssuedCertificate

Revokes an issued certificate.

RotateSecret

Rotates a dynamic secret in a proactive manner.

ScheduleKeyDeletion

Schedules the deletion of a key.

SetDeletionProtection

Enables or disables the deletion protection feature.

SetKeyStoreAuditConfig

Configures KMS audit logs.

TagResource

Adds tags to a key or secret.

TagResources

Adds tags to keys or secrets.

UntagResource

Removes a tag from a key or secret.

UntagResources

Removes tags from keys or secrets.

UpdateAlias

Updates the ID of the key that is associated with an alias.

UpdateApplicationAccessPoint

Updates information about an AAP.

UpdateCertificateAuthority

Updates the CA configuration.

UpdateCertificateStatus

Updates the status of a certificate.

UpdateKeyDescription

Updates the description of a key.

UpdateKeyStore

Updates the information about a KMS instance.

UpdateKmsInstanceBindVpc

Updates the virtual private cloud (VPC) that is associated with a KMS instance.

UpdateNetworkRule

Updates a network access rule of an AAP.

UpdatePolicy

Updates an access control policy of an AAP.

UpdateRotationPolicy

Updates a key rotation policy.

UpdateSecret

Updates the metadata of a secret.

UpdateSecretRotationPolicy

Updates the rotation policy for a dynamic secret.

UpdateSecretVersionStage

Updates the stage label that marks a secret version.

UploadCertificate

Imports a certificate and a certificate chain issued by a CA into Certificates Manager.

ConnectDKMSInstance

Enables a KMS instance.

CreateBackup

Creates a backup instance.

CreateCheckAssociateResourceTask

Creates a task to check the cloud service resources that are associated with a key.

DeleteBackup

Deletes a backup instance.

DescribeBackups

Queries the details of a backup instance.

DescribeDKMSInstances

Queries a list of KMS instances.

DescribeIssuedCertificate

Queries a CA certificate of a KMS instance.

DescribeKMSInstances

Queries a list of KMS instances.

DescribeVpcs

Queries a list of VPCs.

DescribeZones

Queries the zones supported by a KMS instance.

DescribNetworkRule

Queries the details of a network access rule.

DisconnectDKMSInstance

Disables a KMS instance.

DownloadBackupData

Downloads backup data.

EnableBackup

Enables a backup instance.

GenerateKMSDataKey

Creates a data key.

GetCheckAssociateResourceTaskResults

Queries the result of a key association check task.

GetCrl

Queries a certificate.

GetKmsInstanceQuotaInfos

Queries the quotas of a KMS instance.

GetKmsInstanceSharedAccounts

Queries the quota occupied by a shared KMS instance.

GetSecreValue

Retrieves a secret.

GetUploadBackupDataInfo

Uploads data backup information.

ListBackups

Queries a list of backup instances.

ListMetaData

Queries the metadata of backup instance resources.

ListSpecifyRegionKmsInstances

Queries KMS instances in a region.

RecoverData

Restores backup data.

RecoverMigrationKeys

Restores migrated keys.

ResetBackup

Resets a backup instance.

UpdateDKMSInstance

Changes the name of a KMS instance.

UpdateDKMSInstanceConfig

Updates the configurations of a KMS instance.