Query the call records of keys and secrets - Key Management Service

Key Management Service (KMS) can be integrated with ActionTrail and Simple Log Service to record the events that occur during the use of keys and secrets. This is beneficial for troubleshooting and security monitoring. This topic describes how to query the usage records of keys and secrets.

Background information

The events related to keys and secrets are classified into two types. The first type involves management operations such as the operations to create and delete keys, create and delete secrets, and modify key aliases. The second type involves service-related operations such as cryptographic operations and operations to retrieve secret values. The methods to query events vary based on the events and business scenarios.

Keys and secrets in KMS instances

Resource type	Event type	Query method
Key	Management operations	Use ActionTrail.
Key	Cryptographic operations	Server-side encryption in Alibaba Cloud services: Use ActionTrail. Data encryption in self-managed applications: Use Simple Log Service.
Secret	Management operations	Use ActionTrail.
Secret	Operations to retrieve secret values	Retrieval by using a KMS endpoint: Use ActionTrail or Simple Log Service. Retrieval by using the endpoint of a KMS instance: Use Simple Log Service.

Keys and secrets outside KMS instances

Default keys are considered keys that are outside KMS instances. Secrets that are outside KMS instances refer to the secrets that created by users of the old version of KMS without purchasing a KMS instance.

Resource type	Event type	Query method
Key	Management operations	Use ActionTrail.
Key	Cryptographic operations	Use ActionTrail.
Secret	Management operations	Use ActionTrail.
Secret	Operations to retrieve secret values	Use ActionTrail or Simple Log Service Note You can retrieve secret values only by using a KMS endpoint.

Precautions

When you use ActionTrail to query key-related events, keys in all states are supported. When you use Simple Log Service to query key-related events, only the keys that are enabled are supported.

Use ActionTrail

You can query events on the Event Query and Advanced Event Query pages in the ActionTrail console. For more information about supported events, see Audit events of KMS.

Event query: By default, you can query events in the previous 90 days. You can use this feature free of charge.
Advanced event query: Before you can use the advanced event query feature, you must create a trail and deliver events to Simple Log Service. For more information, see Single-account trail overview and Overview. You can query only the events that are generated after the trail is created. For more information about how to query the events that are generated within 90 days before the trail is created, see Create a data backfill task.
Note
If you create a trail to deliver events to Simple Log Service, you are separately charged, and the fees are included in the bills of Simple Log Service. For more information, see Billing.

Method 1: Query events on the Event Query page

Log on to the ActionTrail console.
In the left-side navigation pane, choose Events > Event Query.
Select Resource Name, enter the ID of the key or secret whose events you want to query, select a time range, and then click the icon.
Find the event that you want to view and click View Event Details in the Actions column.

Method 2: Query events on the Advanced Event Query page

Log on to the ActionTrail console.
In the left-side navigation pane, choose Event > Advanced Event Query.
Select a trail name, turn off Simple Mode in the upper-right corner of the page, and then enter a query statement.
Examples:
- Query the events of a key: * AND (event.serviceName: "Kms") AND (event.eventRW: "Read") AND "key-szz63dc8c429ermur****". You must replace key-szz63dc8c429ermur**** with the ID of the key that you want to query.
- Query the events of a key that is disabled: * AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.Disabled").
- Query the events of a key that is in the Pending Deletion state: * AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.PendingDeletion").
- Query the events of keys in an expired instance: * AND (event.serviceName: "Kms") AND (event.errorCode:"Rejected.Unavailable").
  Note
  For more information about the error codes that are related to key status, see Common error codes.
- Query the events of a secret: * AND (event.serviceName: "Kms") AND (event.eventName: "GetSecretValue") AND "SecretName". You must replace SecretName with the ID of the secret that you want to query.
Find the event that you want to view and click View Event Details in the Actions column.

Use Simple Log Service

Log on to the KMS console. In the top navigation bar, select the required region. In the left-side navigation pane, choose Security Operations > Simple Log Service for KMS.
On the Simple Log Service for KMS page, select the required instance ID from the Instance ID drop-down list and enter the ID of the key or secret that you want to query in the Key/Secret ID field.
Specify a time range and click Search & Analyze.
Note
- Logs are stored for 180 days. Logs that are stored 180 days ago are deleted. Therefore, you can query only the logs within the previous 180 days.
- The query results may contain the logs that are generated 1 minute earlier or later than the specified time range.
- No additional fees are generated for query and analysis operations.

Key Management Service:Query the usage records of keys and secrets