Secrets Manager can deliver rotation events of dynamic Elastic Compute Service (ECS) secrets to CloudMonitor. You can query the rotation events and create event-triggered alert rules in the CloudMonitor console. This allows you to receive alert notifications for the events and automate the event handling process.
Query rotation events
Log on to the CloudMonitor console.
In the left-side navigation pane, choose .
On the System Event page, click the Event Monitoring tab.
Select Key Management Service (KMS) from the All Products drop-down list. Then, specify the alert level of the event, the name of the event, and the time range to query.
Find the event that you want to query in the event list and click Details in the rightmost column.
Create an event-triggered alert rule
You can create event-triggered alert rules to monitor the rotation of dynamic ECS secrets and automate the event handling process. For example, you can monitor failed rotation of dynamic ECS secrets and use Function Compute to automatically resolve the failure.
On the System Event page, click the Event-triggered Alert Rules tab and click Create Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.
Parameter
Description
Alert Rule Name
The name of the event-triggered alert rule. Example: secrets_rotation_failed or secrets_rotation_success.
Product Type
The service for which you want to create the event-triggered alert rule. Select Key Management Service (KMS).
Event Type
The type of the event. Valid values:
Exception: If you select this value, CloudMonitor sends alert notifications only for failed rotation of dynamic ECS secrets.
Notification: If you select this value, CloudMonitor sends alert notifications only for successful rotation of dynamic ECS secrets.
NoteIf you select both Exception and Notification, CloudMonitor sends alert notifications for each rotation of dynamic ECS secrets regardless of whether the rotation succeeds or fails.
Event Level
The level of the event. Valid values:
CRITICAL: Select this value for failed rotation of dynamic ECS secrets.
INFO: Select this value for successful rotation of dynamic ECS secrets.
Event Name
The name of the event. Valid values:
Secret:RotateSecret:Failure: Select this value for failed rotation of dynamic ECS secrets.
Secret:RotateSecret:Success: Select this value for successful rotation of dynamic ECS secrets.
NoteIf you select both Secret:RotateSecret:Failure and Secret:RotateSecret:Success, CloudMonitor sends alert notifications for each rotation of dynamic ECS secrets regardless of whether the rotation succeeds or fails. We recommend that you create event-triggered alert rules at different alert levels based on the impacts of events on your business. We also recommend that you do not select both values.
Keyword Filtering
The keywords that are used to filter alert rules. Valid values:
Contains any of the keywords: If the alert rule contains any one of the specified keywords, an alert notification is sent.
Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, an alert notification is sent.
SQL Filter
The SQL statement that is used to filter alert rules.
Resource Range
The resources that you want to manage. Select All Resources. In this case, CloudMonitor sends alert notifications for the specified events of all resources based on your configurations.
Notification Method
The notification method and message processing method that are used when an event-triggered alert is generated.
Alert Notification:
Contact Group: Select the alert contact group that you specified.
Notification Method:
Critical (Phone Call + Text Message + Email + Webhook)
Warning (SMS + Text Message + Webhook)
Info (Email + Webhook)
Message processing method: To automate the event handling process, you can select Simple Message Queue (formerly MNS) , Function Compute, URL Callback, or Log Service.
Mute For
The period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.
Alert notification content
An alert notification is in the format of <Resource type>:<Operation that was performed on the resource>:<Result>
. After you create an event-triggered alert rule for rotation events of dynamic ECS secrets, the system sends alert notifications based on the rotation result.
Secret:RotateSecret:Failure
: failed rotation of dynamic ECS secrets.You can view the information about rotation of dynamic ECS secrets in the
content
field of the event. For example, you can obtain the failure cause by viewing the failureInfo field. Sample code:{ "product": "KMS", "eventTime": "20180816T135935.689+0800", "level": "CRITICAL", "name": "Secret:RotateSecret:Failure", "regionId": "cn-hangzhou", "resourceId": "acs:kms:cn-hangzhou:188989715694****:secret/secretName", "status": "Failed", "content": { "eventId": "eventId", "secretName": "SecretName", "secretType": "ECS", "RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName", "rotationStatus": "Invalid", "rotationSubType": "Password", "failureInfo": { "errorCode": "Kms:ErrorCode", "errorMessage": "errorMessage" }, "failureTime": "2012-03-12T05:55:36Z" }, "ver": "1.0" }
Secret:RotateSecret:Success
: successful rotation of dynamic ECS secrets.Sample code:
{ "product":"KMS", "instanceName":"secretId", "level":"INFO", "name":"Secret:RotateSecret:Success", "regionId":"cn-hangzhou", "resourceId":"acs:kms:cn-hangzhou:188989715694****:secret/secretName", "status":"Normal", "content":{ "eventId": "eventId", "secretName": "SecretName", "secretType": "ECS", "RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName", "rotationStatus": "Enabled", "secretSubType": "Password", "successTime": "2012-03-12T05:55:36Z" }, "ver":"1.0" }