Logging and monitoring in Amazon Key Management Service - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Logging and monitoring in Amazon Key Management Service

Monitoring is an important part of understanding the availability, state, and usage of your Amazon KMS keys in Amazon KMS. Monitoring helps maintain the security, reliability, availability, and performance of your Amazon solutions. Amazon provides several tools for monitoring your KMS keys.

Amazon CloudTrail Logs

Every call to an Amazon KMS API operation is captured as an event in an Amazon CloudTrail log. These logs record all API calls from the Amazon KMS console, and calls made by Amazon KMS and other Amazon services. Cross-account API calls, such as a call to use a KMS key in a different Amazon Web Services account, are recorded in the CloudTrail logs of both accounts.

When troubleshooting or auditing, you can use the log to reconstruct the lifecycle of a KMS key. You can also view its management and use of the KMS key in cryptographic operations. For more information, see Logging Amazon KMS API calls with Amazon CloudTrail.

Amazon CloudWatch Logs

Monitor, store, and access your log files from Amazon CloudTrail and other sources. For more information, see the Amazon CloudWatch User Guide.

For Amazon KMS, CloudWatch stores useful information that helps you to prevent problems with your KMS keys and the resources that they protect. For more information, see Monitoring with Amazon CloudWatch.

Amazon EventBridge

Amazon KMS generates EventBridge events when your KMS key is rotated or deleted or the imported key material in your KMS key expires. Search for Amazon KMS events (API operations) and route them to one or more target functions or streams to capture state information. For more information, see Monitoring with Amazon EventBridge and the Amazon EventBridge User Guide.

Amazon CloudWatch Metrics

You can monitor your KMS keys using CloudWatch metrics, which collects and processes raw data from Amazon KMS into performance metrics. The data are recorded in two-week intervals so you can view trends of current and historical information. This helps you to understand how your KMS keys are used and how their use changes over time. For information about using CloudWatch metrics to monitor KMS keys, see Amazon KMS metrics and dimensions.

Amazon CloudWatch Alarms

Watch a single metric change over a time period that you specify. Then perform actions based on the value of the metric relative to a threshold over a number of time periods. For example, you can create a CloudWatch alarm that is triggered when someone tries to use a KMS key that is scheduled to be deleted in a cryptographic operation. This indicates that the KMS key is still being used and probably should not be deleted. For more information, see Creating an alarm that detects use of a KMS key pending deletion.

Amazon Security Hub

You can monitor your Amazon KMS usage for security industry standards and best practices compliance using Amazon Security Hub. Security Hub uses security controls to evaluate resource configurations and security standards to help you comply with various compliance frameworks. For more information, see Amazon Key Management Service controls in the Amazon Security Hub User Guide.