If a dedicated Key Management Service (KMS) instance of the Standard edition is in
the Enabled state, you can perform the following operations based on your business requirements:
query the instance, disconnect it from or reconnect it to a dedicated hardware security
module (HSM) cluster, and enable the security audit feature.
Query a dedicated KMS instance of the Standard edition
You can query the ID of a dedicated KMS instance of the Standard edition, the virtual
private cloud (VPC) address to access the instance, the ID of the VPC, and the dedicated
HSM cluster of the instance based on your business requirements.
The VPC address is the endpoint of the dedicated KMS instance of the Standard edition.
The endpoint is in the https://{ID of the instance}.cryptoservice.kms.aliyuncs.com
format.
- Log on to the KMS console.
- In the top navigation bar, select the region where your dedicated KMS instance of
the Standard edition resides.
Dedicated KMS of the Standard edition is available in the following regions: China
(Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong),
Malaysia (Kuala Lumpur), and Singapore (Singapore).
- In the left-side navigation pane, click Dedicated KMS.
- Find the instance that you want to query and click Details in the Actions column.
Disconnect a dedicated KMS instance of the Standard edition from a dedicated HSM cluster
If you want to disassociate a dedicated KMS instance of the Standard edition from
a dedicated HSM cluster, you must disconnect the instance from the dedicated HSM cluster.
- Log on to the KMS console.
- In the top navigation bar, select the region where your dedicated KMS instance of
the Standard edition resides.
Dedicated KMS of the Standard edition is available in the following regions: China
(Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong),
Malaysia (Kuala Lumpur), and Singapore (Singapore).
- In the left-side navigation pane, click Dedicated KMS.
- Find the dedicated KMS instance that you want to disconnect and click Details in the Actions column.
- Click Disconnect to the right of Dedicated HSM Cluster.
- In the Disconnect dialog box, click Disconnect.
If the status of the instance changes to Disabled, the dedicated KMS instance of the Standard edition is disconnected from the dedicated
HSM cluster.
Reconnect a dedicated KMS instance of the Standard edition to a dedicated HSM cluster
If a dedicated KMS instance of the Standard edition is configured and connected to
a dedicated HSM cluster, you can reconnect the instance to the dedicated HSM cluster
after you manually disconnect the instance. To reconnect the instance to the dedicated
HSM cluster, you need to only configure the access credential and click Connect to HSM.
- Log on to the KMS console.
- In the top navigation bar, select the region where your dedicated KMS instance of
the Standard edition resides.
Dedicated KMS of the Standard edition is available in the following regions: China
(Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong),
Malaysia (Kuala Lumpur), and Singapore (Singapore).
- In the left-side navigation pane, click Dedicated KMS.
- Find the dedicated KMS instance that you want to reconnect to the dedicated HSM cluster
and click Enable in the Actions column.
- In the Connect to HSM dialog box, configure the Configure Access Credential parameter and click Connect to HSM.
Wait a few minutes. If the status of the instance changes from Creating to Enabled, the instance is reconnected to the dedicated HSM cluster.
Enable the security audit feature
When you use a dedicated KMS instance of the Standard edition, audit logs are generated.
The audit logs record the access information about the instance, including the request
information, user information, accessed resource information, and access results.
Sample log:
2021-10-19T212021-10-19T21:40:01 [INFO] - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -40:01 [INFO] - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -
After you enable the security audit feature, Dedicated KMS delivers audit logs to
the Object Storage Service (OSS) bucket that you specify on an hourly basis to meet
regulatory requirements and business requirements. Before you enable the security
audit feature, make sure that an OSS bucket is available. For more information, see
Create buckets.
Note After the security audit feature is enabled, audit logs are generated and delivered
within 1 hour.
- Log on to the KMS console.
- In the top navigation bar, select the region where your dedicated KMS instance of
the Standard edition resides.
Dedicated KMS of the Standard edition is available in the following regions: China
(Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong),
Malaysia (Kuala Lumpur), and Singapore (Singapore).
- In the left-side navigation pane, click Dedicated KMS.
- Find the dedicated KMS instance for which you want to enable the security audit feature
and click Details in the Actions column.
- In the Details panel, turn on Security Audit.
- In the Configure Security Audit dialog box, select the bucket where you want to store audit logs from the Destination Bucket drop-down list.
- Click OK.
After you enable the security audit feature, the status of the feature changes from
Disabled to Enabled. You can also modify security audit configurations or disable the security audit
feature based on your business requirements.