Create a CloudWatch alarm for expiration of imported key material
You can create a CloudWatch alarm that notifies you when the imported key material in a KMS key is approaching its expiration time. For example, the alarm can notify you when the time to expire is less than 30 days away.
When you import key material into a KMS key, you can optionally specify a date and time when the key material expires. When the key material expires, Amazon KMS deletes the key material and the KMS key becomes unusable. To use the KMS key again, you must reimport the key material. However, if you reimport the key material before it expires, you can avoid disrupting processes that use that KMS key.
This alarm uses the SecondsUntilKeyMaterialExpires metric that Amazon KMS publishes to CloudWatch for KMS keys with imported key material that expires. Each alarm uses this metric to monitor the imported key material for a particular KMS key. You cannot create a single alarm for all KMS keys with expiring key material or an alarm for KMS keys that you might create in the future.
Requirements
The following resources are required for a CloudWatch alarm that monitors the expiration of imported key material.
-
A KMS key with imported key material that expires.
-
An Amazon SNS topic. For details, see Creating an Amazon SNS topic in the Amazon CloudWatch User Guide.
Create the alarm
Follow the instructions in Create a CloudWatch alarm based on a static threshold using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
|---|---|
| Select metric |
Choose KMS, then choose Per-Key Metrics. Choose the row with the KMS key and the
The Metrics list displays the
|
| Statistic | Minimum |
| Period | 1 minute |
| Threshold type | Static |
| Whenever ... | Whenever
metric-name is Greater than
1 |