DeleteExpiredKeyMaterial
When you import key material into an Amazon KMS key (KMS key), you can set an expiration date and time for that key material. Amazon KMS records an entry in your CloudTrail log when you import the key material (with the expiration settings) and when Amazon KMS deletes the expired key material. For information about creating KMS key with imported key material, see Importing key material for Amazon KMS keys.
The following example shows an Amazon CloudTrail log entry generated when Amazon KMS deletes the expired key material.
{ "eventVersion": "1.05", "userIdentity": { "accountId": "111122223333", "invokedBy": "Amazon Internal" }, "eventTime": "2021-01-01T16:00:00Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteExpiredKeyMaterial", "awsRegion": "us-east-1", "sourceIPAddress": "Amazon Internal", "userAgent": "Amazon Internal", "requestParameters": null, "responseElements": null, "eventID": "cfa932fd-0d3a-4a76-a8b8-616863a2b547", "readOnly": false, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": { "keyId": "1234abcd-12ab-34cd-56ef-1234567890ab" } }