AWS CloudHSM audit log reference
AWS CloudHSM records HSM management commands in audit log events. Each event has an operation
code (Opcode) value that identifies the action that occurred and its response.
You can use the Opcode values to search, sort, and filter the logs.
The following table defines the Opcode values in an AWS CloudHSM audit log.
| Operation Code (Opcode) | Description |
|---|---|
| User Login: These events include the user name and user type | |
CN_LOGIN (0xd) |
User login |
CN_LOGOUT (0xe) |
|
CN_APP_FINALIZE |
The connection with the HSM was closed. Any session keys or quorum tokens from this connection were deleted. |
CN_CLOSE_SESSION |
The session with the HSM was closed. Any session keys or quorum tokens from this session were deleted. |
| User Management: These events include the user name and user type | |
CN_CREATE_USER (0x3) |
Create a crypto user (CU) |
CN_CREATE_CO |
Create a crypto officer (CO) |
CN_DELETE_USER |
Delete a user |
CN_CHANGE_PSWD |
Change a user password |
CN_SET_M_VALUE |
Set quorum authentication (M of N) for a user action |
CN_APPROVE_TOKEN |
Approve a quorum authentication token for a user action |
CN_DELETE_TOKEN |
Delete one or more quorum tokens |
CN_GET_TOKEN |
Request a signing token to initiate a quorum operation |
| Key Management: These events include the key handle | |
CN_GENERATE_KEY |
Generate a symmetric key |
CN_GENERATE_KEY_PAIR (0x19) |
Generate an asymmetric key pair |
CN_CREATE_OBJECT |
Import a public key (without wrapping) |
CN_MODIFY_OBJECT |
Set a key attribute |
CN_DESTROY_OBJECT (0x11) |
Deletion of a session key |
CN_TOMBSTONE_OBJECT |
Deletion of a token key |
CN_SHARE_OBJECT |
Share or unshare a key |
CN_WRAP_KEY |
Export an encrypted copy of a key (wrapKey) |
CN_UNWRAP_KEY |
Import an encrypted copy of a key (unwrapKey) |
CN_DERIVE_KEY |
Derive a symmetric key from an existing key |
CN_NIST_AES_WRAP |
Encrypt or decrypt a key with an AES key |
CN_INSERT_MASKED_OBJECT_USER |
Insert an encrypted key with attributes from another HSM in the cluster. |
CN_EXTRACT_MASKED_OBJECT_USER |
Wraps/encrypts a key with attributes from the HSM to be sent to another HSM in the cluster. |
| Back up HSMs | |
CN_BACKUP_BEGIN |
Begin the backup process |
CN_BACKUP_END |
Completed the backup process |
CN_RESTORE_BEGIN |
Begin restoring from a backup |
CN_RESTORE_END |
Completed the restoration process from a backup |
| Certificate-Based Authentication | |
CN_CERT_AUTH_STORE_CERT |
Stores the cluster certificate |
| HSM Instance Commands | |
CN_INIT_TOKEN (0x1) |
Start the HSM initialization process |
CN_INIT_DONE |
The HSM initialization process has finished |
CN_GEN_KEY_ENC_KEY |
Generate a key encryption key (KEK) |
CN_GEN_PSWD_ENC_KEY (0x1d) |
Generate a password encryption key (PEK) |
| HSM crypto commands | |
CN_FIPS_RAND |
Generate a FIPS-compliant random number |
