Monitor KMS keys with Amazon CloudWatch
You can monitor your Amazon KMS keys using Amazon CloudWatch, an Amazon service that collects and processes raw data from Amazon KMS into readable, near real-time metrics. These data are recorded for a period of two weeks so that you can access historical information and gain a better understanding of the usage of your KMS keys and their changes over time.
You can use Amazon CloudWatch to alert you to important events, such as the following ones.
-
The imported key material in a KMS key is nearing its expiration date.
-
A KMS key that is pending deletion is still being used.
-
The key material in a KMS key was automatically rotated.
-
A KMS key was deleted.
You can also create an Amazon CloudWatch alarm that alerts you when
your request rate reaches a certain percentage of a quota value. For details, see Manage your Amazon KMS API request rates using Service Quotas and Amazon CloudWatch
Amazon KMS metrics and dimensions
Amazon KMS predefines Amazon CloudWatch metrics to make it easier for you to monitor critical data and create alarms. You can view the Amazon KMS metrics using the Amazon Web Services Management Console and the Amazon CloudWatch API.
This section lists each Amazon KMS metrics and the dimensions for each metric, and provides some basic guidance for creating CloudWatch alarms based on these metrics and dimensions.
Note
Dimension group name:
To view a metric in the Amazon CloudWatch console, in the Metrics section, select the dimension group name. Then you can filter by the Metric name. This topic includes the metric name and dimension group name for each Amazon KMS metric.
You can view Amazon KMS metrics using the Amazon Web Services Management Console and the Amazon CloudWatch API. For more information, see View available metrics in the Amazon CloudWatch User Guide.
Topics
SecondsUntilKeyMaterialExpiration
The number of seconds remaining until the imported key
material in a KMS key expires. This metric is valid only for KMS keys with
imported key material (a key material origin of
EXTERNAL) and an expiration date.
Use this metric to track the time that remains until your imported key material expires.
When that time falls below a threshold that you define, you might want to reimport the key
material with a new expiration date. The SecondsUntilKeyMaterialExpiration
metric is specific to a KMS key. You cannot use this metric to monitor multiple KMS keys
or KMS keys that you might create in the future. For help with creating a CloudWatch alarm to
monitor this metric, see Create a CloudWatch alarm for expiration of
imported key material.
The most useful statistic for this metric is Minimum, which tells you the
smallest amount of time remaining for all data points in the specified statistical period.
The only valid unit for this metric is Seconds.
Dimension group name: Per-Key Metrics
Dimensions for SecondsUntilKeyMaterialExpiration | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Dimension | Description; related to Amazon | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| KeyId | Value for each KMS key. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
When you schedule deletion of a KMS key, Amazon KMS enforces a waiting period before deleting the KMS key. You can use the waiting period to ensure that you don't need the KMS key now or in the future. You can also configure a CloudWatch alarm to warn you if a person or application attempts to use the KMS key in a cryptographic operation during the waiting period. If you receive a notification from such an alarm, you might want to cancel deletion of the KMS key.
For instructions, see Create an alarm that detects use of a KMS key pending deletion.
ExternalKeyStoreThrottle
The number of requests for cryptographic operations on KMS keys in each external key
store that Amazon KMS throttles (responds with a ThrottlingException). This metric applies only to external key stores.
The ExternalKeyStoreThrottle metric applies only to KMS keys in an
external key store and only to requests for cryptographic operations and the DescribeKey operation. Amazon KMS throttles these
requests when the request rate exceeds the custom
key store request quota for your external key store. This metric does not include
throttling by your external key store proxy or external key manager.
Use this metric to review and adjust the value of the your custom key store request quota. If this metric indicates that Amazon KMS is frequently throttling your requests for these KMS keys, you might consider requesting an increase in your custom key store request quota value. For help, see Requesting a quota increase in the Service Quotas User Guide.
If you are getting very frequent KMSInvalidStateException errors with a
message that explains that the request was rejected "due to a very high request rate" or the
request was rejected "because the external key store proxy did not respond in time," it
might indicate that your external key manager or external key store proxy cannot keep pace
with the current request rate. If possible, lower your request rate. You might also consider
requesting a decrease in your custom key store request quota value. Decreasing this quota
value might increase throttling (and the ExternalKeyStoreThrottle metric
value), but it indicates that Amazon KMS is rejecting excess requests quickly before they are
sent to your external key store proxy or external key manager. To request a quota decrease,
please visit the Amazon Web Services Support Center
Dimension group name: Keystore Throttle Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each Amazon KMS API operation. This metric applies only to cryptographic
operations and the DescribeKey operation on KMS keys in an external
key store. |
| KeySpec | Value for each type of KMS key. The only supported key spec for KMS keys in an external key store is SYMMETRIC_DEFAULT. |
XksProxyCertificateDaysToExpire
The number of days until the TLS certificate for your external key store proxy endpoint (XksProxyUriEndpoint) expires.
This metric applies only to external key stores.
Use this metric to create a CloudWatch alarm that notifies you about the upcoming expiration of your TLS certificate. When the certificate expires, Amazon KMS cannot communicate with the external key store proxy. All data protected by KMS keys in your external key store becomes inaccessible until you renew the certificate.
A certificate alarm prevents certificate expiration that might prevent you from accessing your encrypted resources. Set the alarm to give your organization time to renew the certificate before it expires.
Dimension group name: XKS Proxy Certificate Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
| CertificateName | Subject name (CN) in the TLS certificate. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see Monitor external key stores.
XksProxyCredentialAge
The number of days since the current external key store proxy authentication credential
(XksProxyAuthenticationCredential) was associated with the external key
store. This count begins when you enter the authentication credential as part of creating or
updating your external key store. This metric applies only to external key stores.
This value is designed to remind you about the age of your authentication credential. However, because we begin the count when you associate the credential with your external key store, not when you create your authentication credential on your external key store proxy, this might not be an accurate indicator of the credential age on the proxy.
Use this metric to create a CloudWatch alarm that reminds you to rotate your external key store proxy authentication credential.
Dimension group name: Per-Keystore Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see Monitor external key stores.
XksProxyErrors
The number of exceptions related to Amazon KMS requests to your external key store proxy. This count includes exceptions that the external key store proxy returns to Amazon KMS and timeout errors that occur when the external key store proxy does not respond to Amazon KMS within the 250 millisecond timeout interval. This metric applies only to external key stores.
Use this metric to track the error rate of KMS keys in your external key store. It reveals the most frequent errors, so you can prioritize your engineering effort. For example, KMS keys that are generating high rates of non-retryable errors might indicate a problem with the configuration of your external key store. To view your external key store configuration, see View external key stores. To edit your external key store settings, see Edit external key store properties.
Dimension group name: XKS Proxy Error Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each Amazon KMS API operation that generated a request to the XKS proxy. |
| XksOperation | Value for each external key store proxy API operation. |
| KeySpec | Value for each type of KMS key. The only supported key spec for KMS keys in an external key store is SYMMETRIC_DEFAULT. |
| ErrorType | Values:
|
| ExceptionName |
Values:
|
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see Monitor external key stores.
XksExternalKeyManagerStates
A count of the number of external key manager
instances in each of the following health states: Active,
Degraded, and Unavailable. The information for this metric comes
from the external key store proxy associated with each external key
store. This metric applies only to external key stores.
The following are the health states for the external key manager instances associated with an external key store. Each external key store proxy might use different indicators to measure the health states of your external key manager. For details, see the documentation for your external key store proxy.
-
Active: The external key manager is healthy. -
Degraded: The external key manager is unhealthy, but can still serve traffic -
Unavailable: The external key manager cannot serve traffic.
Use this metric to create a CloudWatch alarm that alerts you to degraded and unavailable external key manager instances. To determine which external key manager instances are in each state, consult your external key store proxy logs.
Dimension group name: XKS External Key Manager Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
| XksExternalKeyManagerState | Value for each health state. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see Monitor external key stores.
XksProxyLatency
The number of milliseconds it takes for an external key store proxy to respond to an Amazon KMS request. If the request timed out, the recorded value is the 250 millisecond timeout limit. This metric applies only to external key stores.
Use this metric to evaluate the performance of your external key store proxy and external key manager. For example, if the proxy is frequently timing out on encryption and decryption operations, consult your external proxy administrator.
Slow responses might also indicate that your external key manager cannot handle the current request traffic. Amazon KMS recommends that your external key manager be able to handle up to 1800 requests for cryptographic operations per second. If your external key manager cannot handle the 1800 requests per second rate, consider requesting a decrease in your request quota for KMS keys in a custom key store. Requests for cryptographic operations using the KMS keys in your external key store will fail fast with a throttling exception, rather than being processed and later rejected by your external key store proxy or external key manager.
Dimension group name: XKS Proxy Latency Metrics
| Dimension | Description |
|---|---|
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each Amazon KMS API operation that generated a request to the XKS proxy. |
| XksOperation | Value for each external key store proxy API operation. |
| KeySpec | Value for each type of KMS key. The only supported key spec for KMS keys in an external key store is SYMMETRIC_DEFAULT. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see Monitor external key stores.