Monitoring with Amazon EventBridge - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Monitoring with Amazon EventBridge

You can use Amazon EventBridge (formerly Amazon CloudWatch Events) to alert you to the following important events in the lifecycle of your KMS keys.

  • The key material in a KMS key was automatically rotated.

  • The imported key material in a KMS key expired.

  • A KMS key that had been scheduled for deletion was deleted.

Amazon KMS integrates with Amazon EventBridge to notify you of important events that affect your KMS keys. Each event is represented in JSON (JavaScript Object Notation) and includes the event name, the date and time when the event occurred, and the affected. You can collect these events and establish rules that route them to one or more targets such as Amazon Lambda functions, Amazon SNS topics, Amazon SQS queues, streams in Amazon Kinesis Data Streams, or built-in targets.

For more information about using EventBridge with other kinds of events, including those emitted by Amazon CloudTrail when it records a read/write API request, see the Amazon EventBridge User Guide.

The following topics describe the EventBridge events that Amazon KMS generates.

KMS CMK Rotation

Amazon KMS supports automatic rotation of the key material in symmetric encryption KMS keys. Annual key material rotation is optional for customer managed keys. The key material for Amazon managed keys is automatically rotated every year.

Whenever Amazon KMS rotates key material, it sends a KMS CMK Rotation event to EventBridge. Amazon KMS generates this event on a best-effort basis.

The following is an example of this event.

{ "version": "0", "id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718", "detail-type": "KMS CMK Rotation", "source": "aws.kms", "account": "111122223333", "time": "2022-08-10T16:37:50Z", "region": "us-west-2", "resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ], "detail": { "key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" } }

KMS Imported Key Material Expiration

When you import key material into a KMS key, you can optionally specify a time at which the key material expires. When the key material expires, Amazon KMS deletes the key material and sends a corresponding KMS Imported Key Material Expiration event to EventBridge. Amazon KMS generates this event on a best-effort basis.

The following is an example of this event.

{ "version": "0", "id": "9da9af57-9253-4406-87cb-7cc400e43465", "detail-type": "KMS Imported Key Material Expiration", "source": "aws.kms", "account": "111122223333", "time": "2022-08-10T16:37:50Z", "region": "us-west-2", "resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ], "detail": { "key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" } }

KMS CMK Deletion

When you schedule deletion of a KMS key, Amazon KMS enforces a waiting period before deleting the KMS key. After the waiting period ends, Amazon KMS deletes the KMS key and sends a KMS CMK Deletion event to EventBridge. Amazon KMS guarantees this EventBridge event. Due to retries, it might generate multiple events within a few seconds that delete the same KMS key.

The following is an example of this event.

{ "version": "0", "id": "e9ce3425-7d22-412a-a699-e7a5fc3fbc9a", "detail-type": "KMS CMK Deletion", "source": "aws.kms", "account": "111122223333", "time": "2022-08-10T16:37:50Z", "region": "us-west-2", "resources": [ "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" ], "detail": { "key-id": "1234abcd-12ab-34cd-56ef-1234567890ab" } }