Detective security best practices for Amazon Keyspaces

If you're using a customer managed Amazon KMS key for encryption at rest, usage of this key is logged into Amazon CloudTrail. CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the Amazon service. This information helps you track changes made to your Amazon resources and troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

You can use CloudTrail to audit key usage. CloudTrail creates log files that contain a history of Amazon API calls and related events for your account. These log files include all Amazon KMS API requests that were made using the console, Amazon SDKs, and command line tools, in addition to those made through integrated Amazon services. You can use these log files to get information about when the Amazon KMS key was used, the operation that was requested, the identity of the requester, the IP address that the request came from, and so on. For more information, see Logging Amazon Key Management Service API Calls with Amazon CloudTrail and the Amazon CloudTrail User Guide.

CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, parameters for the actions, and the response elements returned by the Amazon service. This information helps you to track changes made to your Amazon resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.

All Amazon Keyspaces DDL operations are logged in CloudTrail automatically. DDL operations let you create and manage Amazon Keyspaces keyspaces and tables.

When activity occurs in Amazon Keyspaces, that activity is recorded in a CloudTrail event along with other Amazon service events in the event history. For more information, see Logging Amazon Keyspaces operations by using Amazon CloudTrail. You can view, search, and download recent events in your Amazon Web Services account. For more information, see Viewing events with CloudTrail event history in the Amazon CloudTrail User Guide.

For an ongoing record of events in your Amazon Web Services account, including events for Amazon Keyspaces, create a trail. A trail enables CloudTrail to deliver log files to an Amazon Simple Storage Service (Amazon S3) bucket. By default, when you create a trail on the console, the trail applies to all Amazon Web Services Regions. The trail logs events from all Regions in the Amazon partition and delivers the log files to the S3 bucket that you specify. Additionally, you can configure other Amazon services to further analyze and act upon the event data collected in CloudTrail logs.

You can assign metadata to your Amazon resources in the form of tags. Each tag is a simple label that consists of a customer-defined key and an optional value that can make it easier to manage, search for, and filter resources.

Tagging allows for grouped controls to be implemented. Although there are no inherent types of tags, they enable you to categorize resources by purpose, owner, environment, or other criteria. The following are some examples:

For more information, see Amazon tagging strategies and Adding tags and labels to resources.