Key Management Service (KMS) can be integrated with ActionTrail and Simple Log Service to record the events that occur during the use of keys and secrets. This is beneficial for troubleshooting and security monitoring. This topic describes how to query the usage records of keys and secrets.
Background information
The events related to keys and secrets are classified into two types. The first type involves management operations such as the operations to create and delete keys, create and delete secrets, and modify key aliases. The second type involves service-related operations such as cryptographic operations and operations to retrieve secret values. The methods to query events vary based on the events and business scenarios.
Keys and secrets in KMS instances
Resource type | Event type | Query method |
Key | Management operations | Use ActionTrail. |
Cryptographic operations |
| |
Secret | Management operations | Use ActionTrail. |
Operations to retrieve secret values |
|
Keys and secrets outside KMS instances
Default keys are considered keys that are outside KMS instances. Secrets that are outside KMS instances refer to the secrets that created by users of the old version of KMS without purchasing a KMS instance.
Resource type | Event type | Query method |
Key | Management operations | Use ActionTrail. |
Cryptographic operations | Use ActionTrail. | |
Secret | Management operations | Use ActionTrail. |
Operations to retrieve secret values | Use ActionTrail or Simple Log Service Note You can retrieve secret values only by using a KMS endpoint. |
Precautions
When you use ActionTrail to query key-related events, keys in all states are supported. When you use Simple Log Service to query key-related events, only the keys that are enabled are supported.
Use ActionTrail
You can query events on the Event Query and Advanced Event Query pages in the ActionTrail console. For more information about supported events, see Audit events of KMS.
Event query: By default, you can query events in the previous 90 days. You can use this feature free of charge.
Advanced event query: Before you can use the advanced event query feature, you must create a trail and deliver events to Simple Log Service. For more information, see Single-account trail overview and Overview. You can query only the events that are generated after the trail is created. For more information about how to query the events that are generated within 90 days before the trail is created, see Create a data backfill task.
NoteIf you create a trail to deliver events to Simple Log Service, you are separately charged, and the fees are included in the bills of Simple Log Service. For more information, see Billing.
Method 1: Query events on the Event Query page
Log on to the ActionTrail console.
In the left-side navigation pane, choose
.Select Resource Name, enter the ID of the key or secret whose events you want to query, select a time range, and then click the icon.
Find the event that you want to view and click View Event Details in the Actions column.
Method 2: Query events on the Advanced Event Query page
Log on to the ActionTrail console.
In the left-side navigation pane, choose
.Select a trail name, turn off Simple Mode in the upper-right corner of the page, and then enter a query statement.
Examples:
Query the events of a key:
* AND (event.serviceName: "Kms") AND (event.eventRW: "Read") AND "key-szz63dc8c429ermur****"
. You must replacekey-szz63dc8c429ermur****
with the ID of the key that you want to query.Query the events of a key that is disabled:
* AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.Disabled")
.Query the events of a key that is in the Pending Deletion state:
* AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.PendingDeletion")
.Query the events of keys in an expired instance:
* AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.Unavailable")
.NoteFor more information about the error codes that are related to key status, see Common error codes.
Query the events of a secret:
* AND (event.serviceName: "Kms") AND (event.eventName: "GetSecretValue") AND "SecretName"
. You must replaceSecretName
with the ID of the secret that you want to query.
Find the event that you want to view and click View Event Details in the Actions column.
Use Simple Log Service
Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, choose .
On the Simple Log Service for KMS page, select the required instance ID from the Instance ID drop-down list and enter the ID of the key or secret that you want to query in the Key/Secret ID field.
Specify a time range and click Search & Analyze.
NoteLogs are stored for 180 days. Logs that are stored 180 days ago are deleted. Therefore, you can query only the logs within the previous 180 days.
The query results may contain the logs that are generated 1 minute earlier or later than the specified time range.
No additional fees are generated for query and analysis operations.