All Products
Search
Document Center

Key Management Service:Monitor the rotation of dynamic ECS secrets

Last Updated:Dec 05, 2024

Secrets Manager can deliver rotation events of dynamic Elastic Compute Service (ECS) secrets to CloudMonitor. You can query the rotation events and create event-triggered alert rules in the CloudMonitor console. This allows you to receive alert notifications for the events and automate the event handling process.

Query rotation events

  1. Log on to the CloudMonitor console.

  2. In the left-side navigation pane, choose Event Monitoring > System Event.

  3. On the System Event page, click the Event Monitoring tab.

  4. Select Key Management Service (KMS) from the All Products drop-down list. Then, specify the alert level of the event, the name of the event, and the time range to query.

  5. Find the event that you want to query in the event list and click Details in the rightmost column.

Create an event-triggered alert rule

You can create event-triggered alert rules to monitor the rotation of dynamic ECS secrets and automate the event handling process. For example, you can monitor failed rotation of dynamic ECS secrets and use Function Compute to automatically resolve the failure.

  1. On the System Event page, click the Event-triggered Alert Rules tab and click Create Alert Rule.

  2. In the Create/Modify Event-triggered Alert Rule panel, configure the parameters and click OK.

    Parameter

    Description

    Alert Rule Name

    The name of the event-triggered alert rule. Example: secrets_rotation_failed or secrets_rotation_success.

    Product Type

    The service for which you want to create the event-triggered alert rule. Select Key Management Service (KMS).

    Event Type

    The type of the event. Valid values:

    • Exception: If you select this value, CloudMonitor sends alert notifications only for failed rotation of dynamic ECS secrets.

    • Notification: If you select this value, CloudMonitor sends alert notifications only for successful rotation of dynamic ECS secrets.

    Note

    If you select both Exception and Notification, CloudMonitor sends alert notifications for each rotation of dynamic ECS secrets regardless of whether the rotation succeeds or fails.

    Event Level

    The level of the event. Valid values:

    • CRITICAL: Select this value for failed rotation of dynamic ECS secrets.

    • INFO: Select this value for successful rotation of dynamic ECS secrets.

    Event Name

    The name of the event. Valid values:

    • Secret:RotateSecret:Failure: Select this value for failed rotation of dynamic ECS secrets.

    • Secret:RotateSecret:Success: Select this value for successful rotation of dynamic ECS secrets.

    Note

    If you select both Secret:RotateSecret:Failure and Secret:RotateSecret:Success, CloudMonitor sends alert notifications for each rotation of dynamic ECS secrets regardless of whether the rotation succeeds or fails. We recommend that you create event-triggered alert rules at different alert levels based on the impacts of events on your business. We also recommend that you do not select both values.

    Keyword Filtering

    The keywords that are used to filter alert rules. Valid values:

    • Contains any of the keywords: If the alert rule contains any one of the specified keywords, an alert notification is sent.

    • Does not contain any of the keywords: If the alert rule does not contain any one of the specified keywords, an alert notification is sent.

    SQL Filter

    The SQL statement that is used to filter alert rules.

    Resource Range

    The resources that you want to manage. Select All Resources. In this case, CloudMonitor sends alert notifications for the specified events of all resources based on your configurations.

    Notification Method

    The notification method and message processing method that are used when an event-triggered alert is generated.

    • Alert Notification:

      • Contact Group: Select the alert contact group that you specified.

      • Notification Method:

        • Critical (Phone Call + Text Message + Email + Webhook)

        • Warning (SMS + Text Message + Webhook)

        • Info (Email + Webhook)

    • Message processing method: To automate the event handling process, you can select Simple Message Queue (formerly MNS) , Function Compute, URL Callback, or Log Service.

    Mute For

    The period during which an alert is muted. This parameter specifies the interval at which an alert notification is sent to the specified contacts again if the alert is not cleared.

Alert notification content

An alert notification is in the format of <Resource type>:<Operation that was performed on the resource>:<Result>. After you create an event-triggered alert rule for rotation events of dynamic ECS secrets, the system sends alert notifications based on the rotation result.

  • Secret:RotateSecret:Failure: failed rotation of dynamic ECS secrets.

    You can view the information about rotation of dynamic ECS secrets in the content field of the event. For example, you can obtain the failure cause by viewing the failureInfo field. Sample code:

    {
        "product": "KMS",
        "eventTime": "20180816T135935.689+0800",
        "level": "CRITICAL",
        "name": "Secret:RotateSecret:Failure",
        "regionId": "cn-hangzhou",
        "resourceId": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
        "status": "Failed",
        "content": {
            "eventId": "eventId",
            "secretName": "SecretName",
            "secretType": "ECS",
            "RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
            "rotationStatus": "Invalid",
            "rotationSubType": "Password",
            "failureInfo": {
                "errorCode": "Kms:ErrorCode",
                "errorMessage": "errorMessage"
            },
            "failureTime": "2012-03-12T05:55:36Z"
        },
        "ver": "1.0"
    }
  • Secret:RotateSecret:Success: successful rotation of dynamic ECS secrets.

    Sample code:

    {
        "product":"KMS",
        "instanceName":"secretId", 
        "level":"INFO",
        "name":"Secret:RotateSecret:Success",
        "regionId":"cn-hangzhou",
        "resourceId":"acs:kms:cn-hangzhou:188989715694****:secret/secretName",
        "status":"Normal",
           "content":{
          "eventId": "eventId",
          "secretName": "SecretName",
          "secretType": "ECS",
          "RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
          "rotationStatus": "Enabled",
          "secretSubType": "Password",
          "successTime": "2012-03-12T05:55:36Z"
        },
        "ver":"1.0"
    }