Finding aliases in Amazon CloudTrail logs - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Finding aliases in Amazon CloudTrail logs

You can use an alias to represent an Amazon KMS key in an Amazon KMS API operation. When you do, the alias and the key ARN of the KMS key are recorded in the Amazon CloudTrail log entry for the event. The alias appears in the requestParameters field. The key ARN appears in the resources field. This is true even when an Amazon service uses an Amazon managed key in your account.

For example, the following GenerateDataKey request uses the project-key alias to represent a KMS key.

$ aws kms generate-data-key --key-id alias/project-key --key-spec AES_256

When this request is recorded in the CloudTrail log, the log entry includes both the alias and the key ARN of the actual KMS key that was used.

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "ABCDE", "arn": "arn:aws:iam::111122223333:role/ProjectDev", "accountId": "111122223333", "accessKeyId": "FFHIJ", "userName": "example-dev" }, "eventTime": "2020-06-29T23:36:41Z", "eventSource": "", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "", "userAgent": "aws-cli/1.18.89 Python/3.6.10 Linux/ botocore/1.17.12", "requestParameters": { "keyId": "alias/project-key", "keySpec": "AES_256" }, "responseElements": null, "requestID": "d93f57f5-d4c5-4bab-8139-5a1f7824a363", "eventID": "d63001e2-dbc6-4aae-90cb-e5370aca7125", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }

For details about logging Amazon KMS operations in CloudTrail logs, see Logging Amazon KMS API calls with Amazon CloudTrail.