# Monitor AWS KMS keys
Monitoring is an important part of understanding the availability, state, and usage of your AWS KMS keys in AWS KMS and maintaining the reliability, availability, and performance of your AWS solutions. Collecting monitoring data from all the parts of your AWS solution will help you debug a multipoint failure if one occurs. Before you start monitoring your KMS keys, however, create a monitoring plan that includes answers to the following questions:
+ What are your monitoring goals?
+ What resources will you monitor?
+ How often will you monitor these resources?
+ What [monitoring tools](#monitoring-tools) will you use?
+ Who will perform the monitoring tasks?
+ Who should be notified when something happens?
The next step is to monitor your KMS keys over time to establish a baseline for normal AWS KMS usage and expectations in your environment. As you monitor your KMS keys, store historical monitoring data so that you can compare it with current data, identify normal patterns and anomalies, and devise methods to address issues.
For example, you can monitor AWS KMS API activity and events that affect your KMS keys. When data falls above or below your established norms, you might need to investigate or take corrective action.
To establish a baseline for normal patterns, monitor the following items:
+ AWS KMS API activity for *data plane* operations. These are [cryptographic operations](kms-cryptography.md#cryptographic-operations) that use a KMS key, such as [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html), [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html), [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html), and [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html).
+ AWS KMS API activity for *control plane* operations that are important to you. These operations manage a KMS key, and you might want to monitor those that change a KMS key's availability (such as [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html), [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html), [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html), [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html), [ImportKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html), and [DeleteImportedKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html)) or change a KMS key's access control (such as [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) and [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html)).
+ Other AWS KMS metrics (such as the amount of time remaining until your [imported key material](importing-keys.md) expires) and events (such as the expiration of imported key material or the deletion or key rotation of a KMS key).
## Monitoring tools
AWS provides various tools that you can use to monitor your KMS keys. You can configure some of these tools to do the monitoring for you, while some of the tools require manual intervention. We recommend that you automate monitoring tasks as much as possible.
### Automated monitoring tools
You can use the following automated monitoring tools to watch your KMS keys and report when something has changed.
+ **AWS CloudTrail Log Monitoring** – Share log files between accounts, monitor CloudTrail log files in real time by sending them to CloudWatch Logs, write log processing applications with the [CloudTrail Processing Library](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/use-the-cloudtrail-processing-library.html), and validate that your log files have not changed after delivery by CloudTrail. For more information, see [Working with CloudTrail Log Files](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-working-with-log-files.html) in the *AWS CloudTrail User Guide*.
+ **Amazon CloudWatch Alarms** – Watch a single metric over a time period that you specify, and perform one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The action is a notification sent to an Amazon Simple Notification Service (Amazon SNS) topic or Amazon EC2 Auto Scaling policy. CloudWatch alarms do not invoke actions simply because they are in a particular state; the state must have changed and been maintained for a specified number of periods. For more information, see [Monitor KMS keys with Amazon CloudWatch](monitoring-cloudwatch.md).
+ **Amazon EventBridge** – Match events and route them to one or more target functions or streams to capture state information and, if necessary, make changes or take corrective action. For more information, see [Monitor KMS keys with Amazon EventBridge](kms-events.md) and the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
+ **Amazon CloudWatch Logs** – Monitor, store, and access your log files from AWS CloudTrail or other sources. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
### Manual monitoring tools
Another important part of monitoring KMS keys involves manually monitoring those items that the CloudWatch alarms and events don't cover. The AWS KMS, CloudWatch, AWS Trusted Advisor, and other AWS dashboards provide an at-a-glance view of the state of your AWS environment.
You can [customize](viewing-console-customize.md#console-customize-tables) the **AWS managed keys** and **Customer managed keys** pages of the [AWS KMS console](https://console.aws.amazon.com/kms) to display the following information about each KMS key:
+ Key ID
+ Status
+ Creation date
+ Expiration date (for KMS keys with [imported key material](importing-keys.md))
+ Origin
+ Custom key store ID (for KMS keys in [custom key stores](key-store-overview.md#custom-key-store-overview))
The [CloudWatch console dashboard](https://console.aws.amazon.com/cloudwatch/home) shows the following:
+ Current alarms and status
+ Graphs of alarms and resources
+ Service health status
In addition, you can use CloudWatch to do the following:
+ Create [customized dashboards](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/CloudWatch_Dashboards.html) to monitor the services you care about
+ Graph metric data to troubleshoot issues and discover trends
+ Search and browse all your AWS resource metrics
+ Create and edit alarms to be notified of problems
AWS Trusted Advisor can help you monitor your AWS resources to improve performance, reliability, security, and cost effectiveness. Four Trusted Advisor checks are available to all users; more than 50 checks are available to users with a Business or Enterprise support plan. For more information, see [AWS Trusted Advisor](https://aws.amazon.com/premiumsupport/trustedadvisor/).
# Logging AWS KMS API calls with AWS CloudTrail
AWS KMS is integrated with [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/), a service that records all calls to AWS KMS by users, roles, and other AWS services. CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, CloudFormation templates, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.
CloudTrail logs all AWS KMS operations, including read-only operations, such as [ListAliases](ct-listaliases.md) and [GetKeyRotationStatus](ct-getkeyrotationstatus.md), operations that manage KMS keys, such as [CreateKey](ct-createkey.md) and [PutKeyPolicy](ct-put-key-policy.md), and [cryptographic operations](kms-cryptography.md#cryptographic-operations), such as [GenerateDataKey](ct-generatedatakey.md) and [Decrypt](ct-decrypt.md). It also logs internal operations that AWS KMS calls for you, such as [DeleteExpiredKeyMaterial](ct-deleteexpiredkeymaterial.md), [DeleteKey](ct-delete-key.md), [SynchronizeMultiRegionKey](ct-synchronize-multi-region-key.md), and [RotateKey](ct-rotatekey.md).
CloudTrail logs all successful operations and, in some scenarios, attempted calls that failed, such as when the caller is denied access to a resource. [Cross-account operations on KMS keys](key-policy-modifying-external-accounts.md) are logged in both the caller account and the KMS key owner account. However, cross-account AWS KMS requests that are rejected because access is denied are logged only in the caller's account.
For security reasons, some fields are omitted from AWS KMS log entries, such as the `Plaintext` parameter of an [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) request, and the response to [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) or any cryptographic operation. To make it easier to search for CloudTrail log entries for particular KMS keys, AWS KMS adds the [key ARN](concepts.md#key-id-key-ARN) of the affected KMS key to the `responseElements` field in the log entries for some AWS KMS key management operations, even when the API operation doesn't return the key ARN.
Although by default, all AWS KMS actions are logged as CloudTrail events, you can exclude AWS KMS actions from a CloudTrail trail. For details, see [Excluding AWS KMS events from a trail](#filtering-kms-events).
**Learn more**:
+ For CloudTrail log examples of AWS KMS operations for attested platforms, see [Monitoring attested requests](ct-attestation.md).
**Topics**
+ [Finding AWS KMS log entries in CloudTrail](#searching-kms-ct)
+ [Excluding AWS KMS events from a trail](#filtering-kms-events)
+ [Examples of AWS KMS log entries](understanding-kms-entries.md)
## Finding AWS KMS log entries in CloudTrail
To search CloudTrail log entries, use the [CloudTrail console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html) or the [CloudTrail LookupEvents](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_LookupEvents.html) operation. CloudTrail supports numerous [attribute values](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html#filtering-cloudtrail-events) for filtering your search, including event name, user name, and event source.
To help you search for AWS KMS log entries in CloudTrail, AWS KMS populates the following CloudTrail log entry fields.
**Note**
Beginning in December 2022, AWS KMS populates the **Resource type** and **Resource name** attributes in all management operations that change a particular KMS key. These attribute values might be null in older CloudTrail entries for the following operations: [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html), [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html), [DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html), [DeleteImportedKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html), [ImportKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html), [ReplicateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html), [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html), [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html), [UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html), and [UpdatePrimaryRegion](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html).
| Attribute | Value | Log entries |
| --- | --- | --- |
| Event source (EventSource) | kms.amazonaws.com | All operations. |
| Resource type (ResourceType) | AWS::KMS::Key | Management operations that change a particular KMS key, such as CreateKey and EnableKey, but not ListKeys. |
| Resource name (ResourceName) | Key ARN (or key ID and key ARN) | Management operations that change a particular KMS key, such as CreateKey and EnableKey, but not ListKeys. |
To help you find log entries for management operations on particular KMS keys, AWS KMS records the key ARN of the affected KMS key in the `responseElements.keyId` element of the log entry, even when the AWS KMS API operation doesn't return the key ARN.
For example, a successful call to the [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operation doesn't return any values in the response, but instead of a null value, the `responseElements.keyId` value in the [DisableKey log entry](ct-disablekey.md) includes the key ARN of the disabled KMS key.
This feature was added in December 2022 and affects the following CloudTrail log entries: [CreateAlias](ct-createalias.md), [CreateGrant](ct-creategrant.md), [DeleteAlias](ct-deletealias.md), [DeleteKey](ct-delete-key.md), [DisableKey](ct-disablekey.md), [EnableKey](ct-enablekey.md), [EnableKeyRotation](ct-enablekeyrotation.md), [ImportKeyMaterial](ct-importkeymaterial.md), [RotateKey](ct-rotatekey.md), [SynchronizeMultiRegionKey](ct-synchronize-multi-region-key.md), [TagResource](ct-tagresource.md), [UntagResource](ct-untagresource.md), [UpdateAlias](ct-updatealias.md), and [UpdatePrimaryRegion](ct-update-primary-region.md).
## Excluding AWS KMS events from a trail
To provide a record of the use and management of their AWS KMS resources, most AWS KMS users rely on the events in a CloudTrail trail. The trail can be an valuable source of data for auditing critical events, such as creating, disabling, and deleting AWS KMS keys, changing key policy, and the use of your KMS keys by AWS services on your behalf. In some cases, the metadata in a CloudTrail log entry, such as the [encryption context](encrypt_context.md) in an encryption operation, can help you to avoid or resolve errors.
However, because AWS KMS can generate a large number of events, AWS CloudTrail lets you exclude AWS KMS events from a trail. This per-trail setting excludes all AWS KMS events; you cannot exclude particular AWS KMS events.
**Warning**
Excluding AWS KMS events from a CloudTrail Log can obscure actions that use your KMS keys. Be cautious when giving principals the `cloudtrail:PutEventSelectors` permission that is required to perform this operation.
To exclude AWS KMS events from a trail:
+ In the CloudTrail console, use the **Log Key Management Service events** setting when you [create a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-a-trail-using-the-console-first-time.html) or [update a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-update-a-trail-console.html). For instructions, see [Logging Management Events with the AWS Management Console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-and-data-events-with-cloudtrail.html) in the AWS CloudTrail User Guide.
+ In the CloudTrail API, use the [PutEventSelectors](https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_PutEventSelectors.html) operation. Add the `ExcludeManagementEventSources` attribute to your event selectors with a value of `kms.amazonaws.com`. For an example, see [Example: A trail that does not log AWS Key Management Service events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-additional-cli-commands.html#configuring-event-selector-example-kms) in the AWS CloudTrail User Guide.
You can disable this exclusion at any time by changing the console setting or the event selectors for a trail. The trail will then start recording AWS KMS events. However, it cannot recover AWS KMS events that occurred while the exclusion was effective.
When you exclude AWS KMS events by using the console or API, the resulting CloudTrail `PutEventSelectors` API operation is also logged in your CloudTrail Logs. If AWS KMS events don't appear in your CloudTrail Logs, look for a `PutEventSelectors` event with the `ExcludeManagementEventSources` attribute set to `kms.amazonaws.com`.
# Examples of AWS KMS log entries
AWS KMS writes entries to your CloudTrail log when you call an AWS KMS operation and when an AWS service calls an operation on your behalf. AWS KMS also writes an entry when it calls an operation for you. For example, it writes an entry when it [deletes a KMS key](ct-delete-key.md) that you scheduled for deletion.
The following topics display examples of CloudTrail log entries for AWS KMS operations.
For examples of CloudTrail log entries of requests to AWS KMS from attested platforms, see [Monitoring attested requests](ct-attestation.md).
**Topics**
+ [CancelKeyDeletion](ct-cancel-key-deletion.md)
+ [ConnectCustomKeyStore](ct-connect-keystore.md)
+ [CreateAlias](ct-createalias.md)
+ [CreateCustomKeyStore](ct-create-keystore.md)
+ [CreateGrant](ct-creategrant.md)
+ [CreateKey](ct-createkey.md)
+ [Decrypt](ct-decrypt.md)
+ [DeleteAlias](ct-deletealias.md)
+ [DeleteCustomKeyStore](ct-delete-keystore.md)
+ [DeleteExpiredKeyMaterial](ct-deleteexpiredkeymaterial.md)
+ [DeleteImportedKeyMaterial](ct-deleteimportedkeymaterial.md)
+ [DeleteKey](ct-delete-key.md)
+ [DescribeCustomKeyStores](ct-describe-keystores.md)
+ [DescribeKey](ct-describekey.md)
+ [DisableKey](ct-disablekey.md)
+ [DisableKeyRotation](ct-disable-key-rotation.md)
+ [DisconnectCustomKeyStore](ct-disconnect-keystore.md)
+ [EnableKey](ct-enablekey.md)
+ [EnableKeyRotation](ct-enablekeyrotation.md)
+ [Encrypt](ct-encrypt.md)
+ [GenerateDataKey](ct-generatedatakey.md)
+ [GenerateDataKeyPair](ct-generatedatakeypair.md)
+ [GenerateDataKeyPairWithoutPlaintext](ct-generatedatakeypairwithoutplaintext.md)
+ [GenerateDataKeyWithoutPlaintext](ct-generatedatakeyplaintext.md)
+ [GenerateMac](ct-generatemac.md)
+ [GenerateRandom](ct-generaterandom.md)
+ [GetKeyPolicy](ct-getkeypolicy.md)
+ [GetKeyRotationStatus](ct-getkeyrotationstatus.md)
+ [GetParametersForImport](ct-getparametersforimport.md)
+ [ImportKeyMaterial](ct-importkeymaterial.md)
+ [ListAliases](ct-listaliases.md)
+ [ListGrants](ct-listgrants.md)
+ [ListKeyRotations](ct-listkeyrotations.md)
+ [PutKeyPolicy](ct-put-key-policy.md)
+ [ReEncrypt](ct-reencrypt.md)
+ [ReplicateKey](ct-replicate-key.md)
+ [RetireGrant](ct-retire-grant.md)
+ [RevokeGrant](ct-revoke-grant.md)
+ [RotateKey](ct-rotatekey.md)
+ [RotateKeyOnDemand](ct-rotatekeyondemand.md)
+ [ScheduleKeyDeletion](ct-schedule-key-deletion.md)
+ [Sign](ct-sign.md)
+ [SynchronizeMultiRegionKey](ct-synchronize-multi-region-key.md)
+ [TagResource](ct-tagresource.md)
+ [UntagResource](ct-untagresource.md)
+ [UpdateAlias](ct-updatealias.md)
+ [UpdateCustomKeyStore](ct-update-keystore.md)
+ [UpdateKeyDescription](ct-update-key-description.md)
+ [UpdatePrimaryRegion](ct-update-primary-region.md)
+ [VerifyMac](ct-verifymac.md)
+ [Verify](ct-verify.md)
+ [Amazon EC2 example one](ct-ec2one.md)
+ [Amazon EC2 example two](ct-ec2two.md)
# CancelKeyDeletion
The following example shows an AWS CloudTrail log entry generated by calling the [CancelKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_CancelKeyDeletion.html) operation. For information about deleting AWS KMS keys, see [Delete an AWS KMS key](deleting-keys.md).
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-27T21:53:17Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CancelKeyDeletion",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "e3452e68-d4b0-4ec7-a768-7ae96c23764f",
"eventID": "d818bf03-6655-48e9-8b26-f279a07075fd",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# ConnectCustomKeyStore
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_ConnectCustomKeyStore.html) operation. For information about connecting a custom key store, see [Disconnect an AWS CloudHSM key store](connect-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ConnectCustomKeyStore",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreName": "ExampleKeyStore",
"clusterId": "cluster-1a23b4cdefg"
},
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# CreateAlias
The following example shows an AWS CloudTrail log entry for the [CreateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateAlias.html) operation. The `resources` element includes fields for the alias and KMS key resources. For information about creating aliases in AWS KMS, see [Create aliases](alias-create.md).
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-08-14T23:08:31Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateAlias",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"aliasName": "alias/ExampleAlias",
"targetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "caec1e0c-ce03-419e-bdab-6ab1f7c57c01",
"eventID": "2dd6e784-8286-46a6-befd-d64e5a02fb28",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:alias/ExampleAlias"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# CreateCustomKeyStore
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateCustomKeyStore.html) operation on an AWS CloudHSM key store. For information about creating custom key stores, see [Create an AWS CloudHSM key store](create-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateCustomKeyStore",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreName": "ExampleKeyStore",
"clusterId": "cluster-1a23b4cdefg"
},
"responseElements": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# CreateGrant
The following example shows an AWS CloudTrail log entry for the [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation. For information about creating grants in AWS KMS, see [Grants in AWS KMS](grants.md).
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:53:12Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"constraints": {
"encryptionContextSubset": {
"ContextKey1": "Value1"
}
},
"operations": ["Encrypt",
"RetireGrant"],
"granteePrincipal": "EX_PRINCIPAL_ID"
},
"responseElements": {
"grantId": "f020fe75197b93991dc8491d6f19dd3cebb24ee62277a05914386724f3d48758",
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "f3c08808-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "5d529779-2d27-42b5-92da-91aaea1fc4b5",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# CreateKey
These examples show AWS CloudTrail log entries for the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation.
A `CreateKey` log entry can result from a `CreateKey` request or the `CreateKey` operation for a [ReplicateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html) request.
The following example shows an CloudTrail log entry for a [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation that creates a [symmetric encryption KMS key](symm-asymm-choose-key-spec.md#symmetric-cmks). For information about creating KMS keys, see [Create a KMS key](create-keys.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-08-10T22:38:27Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"description": "",
"origin": "EXTERNAL",
"bypassPolicyLockoutSafetyCheck": false,
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"keySpec": "SYMMETRIC_DEFAULT",
"keyUsage": "ENCRYPT_DECRYPT"
},
"responseElements": {
"keyMetadata": {
"AWSAccountId": "111122223333",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"creationDate": "Aug 10, 2022, 10:38:27 PM",
"enabled": false,
"description": "",
"keyUsage": "ENCRYPT_DECRYPT",
"keyState": "PendingImport",
"origin": "EXTERNAL",
"keyManager": "CUSTOMER",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"keySpec": "SYMMETRIC_DEFAULT",
"encryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"multiRegion": false
}
},
"requestID": "1aef6713-0223-4ff7-9a6d-781360521930",
"eventID": "36327b37-f4f6-40a9-92ab-48064ec905a2",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example shows the CloudTrail log of a `CreateKey` operation that creates a symmetric encryption KMS key in an [AWS CloudHSM key store](keystore-cloudhsm.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-14T17:39:50Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyUsage": "ENCRYPT_DECRYPT",
"bypassPolicyLockoutSafetyCheck": false,
"origin": "AWS_CLOUDHSM",
"keySpec": "SYMMETRIC_DEFAULT",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"customKeyStoreId": "cks-1234567890abcdef0",
"description": ""
},
"responseElements": {
"keyMetadata": {
"aWSAccountId": "111122223333",
"keyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"creationDate": "Oct 14, 2021, 5:39:50 PM",
"enabled": true,
"description": "",
"keyUsage": "ENCRYPT_DECRYPT",
"keyState": "Enabled",
"origin": "AWS_CLOUDHSM",
"customKeyStoreId": "cks-1234567890abcdef0",
"cloudHsmClusterId": "cluster-1a23b4cdefg",
"keyManager": "CUSTOMER",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"keySpec": "SYMMETRIC_DEFAULT",
"encryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"multiRegion": false
}
},
"additionalEventData": {
"backingKey": "{\"backingKeyId\":\"backing-key-id\"}"
},
"requestID": "4f0b185c-588c-4767-9e90-c618f7e13cad",
"eventID": "c73964b8-703d-49e4-bd9e-f773d0ee1e65",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example shows the CloudTrail log of a `CreateKey` operation that creates a symmetric encryption KMS key in an [external key store](keystore-external.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-07T22:37:45Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"tags": [],
"keyUsage": "ENCRYPT_DECRYPT",
"description": "",
"origin": "EXTERNAL_KEY_STORE",
"multiRegion": false,
"keySpec": "SYMMETRIC_DEFAULT",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"bypassPolicyLockoutSafetyCheck": false,
"customKeyStoreId": "cks-1234567890abcdef0",
"xksKeyId": "bb8562717f809024"
},
"responseElements": {
"keyMetadata": {
"aWSAccountId": "111122223333",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"creationDate": "Dec 7, 2022, 10:37:45 PM",
"enabled": true,
"description": "",
"keyUsage": "ENCRYPT_DECRYPT",
"keyState": "Enabled",
"origin": "EXTERNAL_KEY_STORE",
"customKeyStoreId": "cks-1234567890abcdef0",
"keyManager": "CUSTOMER",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"keySpec": "SYMMETRIC_DEFAULT",
"encryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"multiRegion": false,
"xksKeyConfiguration": {
"id": "bb8562717f809024"
}
}
},
"requestID": "ba197c82-3ac7-487a-8ff4-7736bbeb1316",
"eventID": "838ad5f4-5fdd-4044-afd7-4dbd88c6af56",
"readOnly": false,
"resources": [
{
"accountId": "227179770375",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:227179770375:key/39c5eb22-f37c-4956-92ca-89e8f8b57ab2"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# Decrypt
These examples show AWS CloudTrail log entries for the [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) operation.
The CloudTrail log entry for a `Decrypt` operation always includes the `encryptionAlgorithm` in the `requestParameters` even if the encryption algorithm wasn't specified in the request. The ciphertext in the request and the plaintext in the response are omitted.
**Topics**
+ [Decrypt with a standard symmetric encryption key](#ct-decrypt-default)
+ [Decrypt failure with a standard symmetric encryption key](#ct-decrypt-fail)
+ [Decrypt with a KMS key in an AWS CloudHSM key store](#ct-decrypt-hsm)
+ [Decrypt with a KMS key in an external key store](#ct-decrypt-xks)
+ [Decrypt failure with a KMS key in an external key store](#ct-decrypt-xks-fail)
+ [Decrypt with a standard symmetric encryption key over a post-quantum TLS connection](#ct-decrypt-default-pqtls)
## Decrypt with a standard symmetric encryption key
The following is an example CloudTrail log entry for a `Decrypt` operation with a standard symmetric encryption key.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:45:00Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
## Decrypt failure with a standard symmetric encryption key
The following example CloudTrail log entry records a failed `Decrypt` operation with a standard symmetric encryption KMS key. The exception (`errorCode`) and error message (`errorMessage`) are included help you to resolve the error.
In this case, the symmetric encryption KMS key specified in the `Decrypt` request was not the symmetric encryption KMS key that was used to encrypt the data.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T18:57:43Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"errorCode": "IncorrectKeyException"
"errorMessage": "The key ID in the request does not identify a CMK that can perform this operation.",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"requestID": "22345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
## Decrypt with a KMS key in an AWS CloudHSM key store
The following example CloudTrail log entry records a `Decrypt` operation with a KMS key in an [AWS CloudHSM key store](keystore-cloudhsm.md). All log entries for cryptographic operations with a KMS key in a custom key store include an `additionalEventData` field with the `customKeyStoreId` and `backingKeyId`. The value returned in the `backingKeyId` field is the CloudHSM key `id` attribute. The `additionalEventData` isn't specified in the request.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-26T23:41:27Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Development",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"requestID": "e1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "a79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## Decrypt with a KMS key in an external key store
The following example CloudTrail log entry records a `Decrypt` operation with a KMS key in an [external key store](keystore-external.md). In addition to the `customKeyStoreId`, the `additionalEventData` field includes the [external key ID](keystore-external.md#concept-external-key) (`XksKeyId`). The `additionalEventData` isn't specified in the request.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T00:26:58Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"encryptionContext": {
"Department": "Engineering",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-9876543210fedcba9",
"xksKeyId": "abc01234567890fe"
},
"requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## Decrypt failure with a KMS key in an external key store
The following example CloudTrail log entry records a failed request for a `Decrypt` operation with a KMS key in an [external key store](keystore-external.md). CloudWatch logs requests that fail, in addition to successful requests. When recording a failure, the CloudTrail log entry includes the exception (errorCode) and the accompanying error message (errorMessage).
If the failed request reached your external key store proxy, as in this example, you can use the `requestId` value to associate the failed request with a corresponding request your external key store proxy logs, if your proxy provides them.
For help with `Decrypt` requests in external key stores, see [Decryption errors](xks-troubleshooting.md#fix-xks-decrypt).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-11-24T00:26:58Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"errorCode": "KMSInvalidStateException",
"errorMessage": "The external key store proxy rejected the request because the specified ciphertext or additional authenticated data is corrupted, missing, or otherwise invalid.",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"encryptionContext": {
"Department": "Engineering",
"Purpose": "Test"
}
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreId": "cks-9876543210fedcba9",
"xksKeyId": "abc01234567890fe"
},
"requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61",
"eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
## Decrypt with a standard symmetric encryption key over a post-quantum TLS connection
The following is an example CloudTrail log entry for a `Decrypt` operation with a standard symmetric encryption key over a post-quantum TLS connection. The keyExchange field in the `tlsDetails` section mentions `X25519MLKEM768`. This is a *hybrid* algorithm that combines [Elliptic Curve Diffie-Hellman](https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman) (ECDH) over [Curve 25519](https://en.wikipedia.org/wiki/Curve25519), a classic key exchange algorithm used today in TLS, with [Module-Lattice-Based Key-Encapsulation Mechanism](https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM), a public-key encryption and key-establishment algorithm that the National Institute for Standards and Technology (NIST) [ has designated as its first standard](https://csrc.nist.gov/pubs/fips/203/final) post-quantum key-agreement algorithm.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-11-12T15:16:26Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "aws-sdk-java/2.30.22 md/io#async md/http#AwsCommonRuntime ...",
"requestParameters": {
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com",
"keyExchange": "X25519MLKEM768"
}
}
```
# DeleteAlias
The following example shows an AWS CloudTrail log entry for the [DeleteAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteAlias.html) operation. For information about deleting aliases, see [Delete an alias](alias-delete.md).
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-11-04T00:52:27Z"
}
}
},
"eventTime": "2014-11-04T00:52:27Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteAlias",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"aliasName": "alias/my_alias"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "d9542792-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "12f48554-bb04-4991-9cfc-e7e85f68eda0",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:kms:us-east-1:111122223333:alias/my_alias",
"accountId": "111122223333"
},
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# DeleteCustomKeyStore
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteCustomKeyStore.html) operation. For information about creating custom key stores, see [Delete an AWS CloudHSM key store](delete-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteCustomKeyStore",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreName": "ExampleKeyStore",
"clusterId": "cluster-1a23b4cdefg"
},
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# DeleteExpiredKeyMaterial
When you import key material into an AWS KMS key (KMS key), you can set an expiration date and time for that key material. AWS KMS records an entry in your CloudTrail log when you [import the key material](ct-importkeymaterial.md) (with the expiration settings) and when AWS KMS deletes the expired key material. For information about creating KMS key with imported key material, see [Importing key material for AWS KMS keys](importing-keys.md).
The following example shows an AWS CloudTrail log entry generated when AWS KMS deletes the expired key material.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-05-22T19:55:11Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteExpiredKeyMaterial",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "cfa932fd-0d3a-4a76-a8b8-616863a2b547",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"eventCategory": "Management"
}
```
# DeleteImportedKeyMaterial
If you import key material into a KMS key, you can delete the imported key material at any time by using the [DeleteImportedKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_DeleteImportedKeyMaterial.html) operation. When you delete imported key material from a KMS key, the key state of the KMS key changes to `PendingImport` and the KMS key cannot be used in any cryptographic operations. For details, see [Delete imported key material](importing-keys-delete-key-material.md).
The following example shows an AWS CloudTrail log entry generated for the `DeleteImportedKeyMaterial` operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:45:08Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteImportedKeyMaterial",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"responseElements": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "dcf0e82f-dad0-4622-a378-a5b964ad42c1",
"eventID": "2afbb991-c668-4641-8a00-67d62e1fecbd",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
# DeleteKey
These examples show the AWS CloudTrail log entry that is generated when a KMS key is deleted. To delete a KMS key, you use the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation. After the specified waiting period expires, AWS KMS deletes the KMS key and records an entry like the following one in your CloudTrail log to record that event.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
For an example of the CloudTrail log entry for the `ScheduleKeyDeletion` operation, see [ScheduleKeyDeletion](ct-schedule-key-deletion.md). For information about deleting KMS keys, see [Delete an AWS KMS key](deleting-keys.md).
The following example CloudTrail log entry records a `DeleteKey` operation of a KMS key with key material in AWS KMS.
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2020-07-31T00:07:00Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "b25f9cda-74e1-4458-847b-4972a0bf9668",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"managementEvent": true,
"eventCategory": "Management"
}
```
The following CloudTrail log entry records a `DeleteKey` operation of a KMS key in an AWS CloudHSM [custom key store](key-store-overview.md#custom-key-store-overview).
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-10-26T23:41:27Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DeleteKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"additionalEventData": {
"customKeyStoreId": "cks-1234567890abcdef0",
"clusterId": "cluster-1a23b4cdefg",
"backingKeys": "[{\"backingKeyId\":\"backing-key-id\"}]",
"backingKeysDeletionStatus": "[{\"backingKeyId\":\"backing-key-id\",\"deletionStatus\":\"SUCCESS\"}]"
},
"eventID": "1234585c-4b0c-4340-ab11-662414b79239",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"recipientAccountId": "111122223333",
"managementEvent": true,
"eventCategory": "Management"
}
```
# DescribeCustomKeyStores
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeCustomKeyStores.html) operation. For information about viewing custom key stores, see [View an AWS CloudHSM key store](view-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeCustomKeyStores",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"responseElements": null,
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "2ea1735f-628d-43e3-b2ee-486d02913a78",
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# DescribeKey
The following example shows an AWS CloudTrail log entry for the [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation. AWS KMS records an entry like the following one when you call the `DescribeKey` operation or [view KMS keys](viewing-keys.md) in the AWS KMS console. This call is the result of viewing a key in the AWS KMS management console.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-26T18:01:36Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# DisableKey
The following example shows an AWS CloudTrail log entry for the [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operation. For information about enabling and disabling AWS KMS keys in AWS KMS, see [Enable and disable keys](enabling-keys.md).
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:43Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DisableKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "12345126-30d5-4b28-98b9-9153da559963",
"eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# DisableKeyRotation
The following example shows an AWS CloudTrail log entry generated by calling the [DisableKeyRotation](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKeyRotation.html) operation. For information about automatic key rotation, see [Rotate AWS KMS keys](rotate-keys.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-01T19:31:39Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DisableKeyRotation",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"requestID": "d6a9351a-ed6e-4581-88d1-2a9a8a538497",
"eventID": "6313164c-83aa-4cc3-9e1a-b7c426f7a5b1",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# DisconnectCustomKeyStore
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisconnectCustomKeyStore.html) operation. For information about disconnecting a custom key store, see [Disconnect an AWS CloudHSM key store](disconnect-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DisconnectCustomKeyStore",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreId": "cks-1234567890abcdef0"
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreName": "ExampleKeyStore",
"clusterId": "cluster-1a23b4cdefg"
},
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# EnableKey
The following example shows an AWS CloudTrail log entry for the [EnableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKey.html) operation. For information about enabling and disabling AWS KMS keys in AWS KMS, see [Enable and disable keys](enabling-keys.md)..
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:20Z",
"eventSource": "kms.amazonaws.com",
"eventName": "EnableKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "d528a6fb-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "be393928-3629-4370-9634-567f9274d52e",
"readOnly": false,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# EnableKeyRotation
The following example shows an AWS CloudTrail log entry of a call to the [EnableKeyRotation](https://docs.aws.amazon.com/kms/latest/APIReference/API_EnableKeyRotation.html) operation. For an example of the CloudTrail log entry that is written when the key is rotated, see [RotateKey](ct-rotatekey.md). For information about rotating AWS KMS keys, see [Rotate AWS KMS keys](rotate-keys.md).
**Note**
The [rotation-period](rotate-keys.md#rotation-period) is an optional request parameter. If you do not specify a rotation period when you enable automatic key rotation, the default value is 365 days.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-25T23:41:56Z",
"eventSource": "kms.amazonaws.com",
"eventName": "EnableKeyRotation",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"rotationPeriodInDays": 180
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "81f5b794-452b-4d6a-932b-68c188165273",
"eventID": "fefc43a7-8e06-419f-bcab-b3bf18d6a401",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# Encrypt
The following example shows an AWS CloudTrail log entry for the [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html) operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:46:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Encrypt",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionContext": {
"Department": "Engineering"
},
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "f3423043-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "91235988-eb87-476a-ac2c-0cdc244e6dca",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# GenerateDataKey
The following example shows an AWS CloudTrail log entry for the [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:46:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"keySpec": "AES_256",
"encryptionContext": {
"Department": "Engineering",
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# GenerateDataKeyPair
The following example shows an AWS CloudTrail log entry for the [GenerateDataKeyPair](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair.html) operation. This example records an operation that generates an RSA key pair encrypted under a symmetric encryption AWS KMS key.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:46:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyPair",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyPairSpec": "RSA_3072",
"encryptionContext": {
"Project": "Alpha"
},
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0",
"eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
# GenerateDataKeyPairWithoutPlaintext
The following example shows an AWS CloudTrail log entry for the [GenerateDataKeyPairWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPairWithoutPlaintext.html) operation. This example records an operation that generates an RSA key pair that is encrypted under a symmetric encryption AWS KMS key.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:46:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyPairWithoutPlaintext",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyPairSpec": "RSA_4096",
"encryptionContext": {
"Index": "5"
},
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0",
"eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
# GenerateDataKeyWithoutPlaintext
The following example shows an AWS CloudTrail log entry for the [GenerateDataKeyWithoutPlaintext](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html) operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-20T20:46:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"keySpec": "AES_256",
"encryptionContext": {
"Project": "Alpha"
}
},
"responseElements": null,
"additionalEventData": {
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "d6b8e411-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "f7734272-9ec5-4c80-9f36-528ebbe35e4a",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# GenerateMac
The following example shows an AWS CloudTrail log entry for the [GenerateMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateMac.html) operation.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-12-23T19:26:54Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateMac",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"macAlgorithm": "HMAC_SHA_512",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# GenerateRandom
The following example shows an AWS CloudTrail log entry for the [GenerateRandom](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html) operation. Because this operation doesn't use an AWS KMS key, the `resources` field is empty.
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateRandom",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"requestID": "df1e3de6-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "239cb9f7-ae05-4c94-9221-6ea30eef0442",
"readOnly": true,
"resources": [],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# GetKeyPolicy
The following example shows an AWS CloudTrail log entry for the [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) operation. For information about viewing the key policy for a KMS key, see [View a key policies](key-policy-viewing.md).
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:50:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GetKeyPolicy",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"policyName": "default"
},
"responseElements": null,
"requestID": "93746dd6-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "4aa7e4d5-d047-452a-a5a6-2cce282a7e82",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# GetKeyRotationStatus
The following example shows an AWS CloudTrail log entry for the [GetKeyRotationStatus](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyRotationStatus.html) operation. For information about automatic and on-demand rotation of key material for a KMS key, see [Rotate AWS KMS keys](rotate-keys.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2024-02-20T19:16:45Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GetKeyRotationStatus",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"requestID": "12f9b7e8-49b9-4c1c-a7e3-34ac0cdf0467",
"eventID": "3d082126-9e7d-4167-8372-a6cfcbed4be6",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# GetParametersForImport
The following example shows an AWS CloudTrail log entry generated when you use the [GetParametersForImport](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetParametersForImport.html) operation. This operation returns the public key and import token that you use when importing key material into a KMS key. The same CloudTrail entry is recorded when you use the `GetParametersForImport` operation or use the AWS KMS console to [download the public key and import token](importing-keys-get-public-key-and-token.md).
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-25T23:58:23Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GetParametersForImport",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"wrappingAlgorithm": "RSAES_OAEP_SHA_256",
"wrappingKeySpec": "RSA_2048"
},
"responseElements": null,
"requestID": "b5786406-e3c7-43d6-8d3c-6d5ef96e2278",
"eventID": "4023e622-0c3e-4324-bdef-7f58193bba87",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# ImportKeyMaterial
The following example shows an AWS CloudTrail log entry generated when you use the [ImportKeyMaterial](https://docs.aws.amazon.com/kms/latest/APIReference/API_ImportKeyMaterial.html) operation. The same CloudTrail entry is recorded when you use the `ImportKeyMaterial` operation or use the AWS KMS console to [import key material](importing-keys-import-key-material.md) into an AWS KMS key.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-21T05:42:31Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ImportKeyMaterial",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"validTo": "May 21, 2025, 5:47:45 AM",
"expirationModel": "KEY_MATERIAL_EXPIRES",
"importType": "NEW_KEY_MATERIAL",
"keyMaterialDescription": "ExampleKeyMaterialA"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"keyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "89e10ee7-a612-414d-95a2-a128346969fd",
"eventID": "c7abd205-a5a2-4430-bbfa-fc10f3e2d79f",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
# ListAliases
The following example shows an AWS CloudTrail log entry for the [ListAliases](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListAliases.html) operation. Because this operation doesn't use any particular alias or AWS KMS key, the `resources` field is empty. For information about viewing aliases in AWS KMS, see [Find the alias name and alias ARN for a KMS key](alias-view.md).
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:51:45Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListAliases",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"limit": 5,
"marker": "eyJiIjoiYWxpYXMvZTU0Y2MxOTMtYTMwNC00YzEwLTliZWItYTJjZjA3NjA2OTJhIiwiYSI6ImFsaWFzL2U1NGNjMTkzLWEzMDQtNGMxMC05YmViLWEyY2YwNzYwNjkyYSJ9"
},
"responseElements": null,
"requestID": "bfe6c190-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "a27dda7b-76f1-4ac3-8b40-42dfba77bcd6",
"readOnly": true,
"resources": [],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# ListGrants
The following example shows an AWS CloudTrail log entry for the [ListGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) operation. For information about grants in AWS KMS, see [Grants in AWS KMS](grants.md).
```
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-04T00:52:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListGrants",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"marker": "eyJncmFudElkIjoiMWY4M2U2ZmM0YTY2NDgxYjQ2Yzc4MTdhM2Y4YmQwMDFkZDNiYmQ1MGVlYTMyY2RmOWFiNWY1Nzc1NDNjYmNmMyIsImtleUFybiI6ImFybjphd3M6dHJlbnQtc2FuZGJveDp1cy1lYXN0LTE6NTc4Nzg3Njk2NTMwOmtleS9lYTIyYTc1MS1lNzA3LTQwZDAtOTJhYy0xM2EyOGZhOWViMTEifQ\u003d\u003d",
"limit": 10
},
"responseElements": null,
"requestID": "e5c23960-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "d24380f5-1b20-4253-8e92-dd0492b3bd3d",
"readOnly": true,
"resources": [{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# ListKeyRotations
The following example shows an AWS CloudTrail log entry for the [ListKeyRotations](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListKeyRotations.html) operation. For information about automatic and on-demand rotation of key material for a KMS key, see [Rotate AWS KMS keys](rotate-keys.md).
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-21T05:42:35Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ListKeyRotations",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"includeKeyMaterial": "ALL_KEY_MATERIAL"
},
"responseElements": null,
"requestID": "99c88d32-f2db-455e-8a9a-23855258a452",
"eventID": "8ce0e74b-b9c7-45a2-96ef-83136d38068e",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# PutKeyPolicy
The following example shows an AWS CloudTrail log entry generated by calling the [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) operation. For information about updating a key policy, see [Change a key policy](key-policy-modifying.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-01T20:06:16Z",
"eventSource": "kms.amazonaws.com",
"eventName": "PutKeyPolicy",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"policyName": "default",
"policy": "{\n \"Version\" : \"2012-10-17\",\n \"Id\" : \"key-default-1\",\n \"Statement\" : [ {\n \"Sid\" : \"Enable IAM User Permissions\",\n \"Effect\" : \"Allow\",\n \"Principal\" : {\n \"AWS\" : \"arn:aws:iam::111122223333:root\"\n },\n \"Action\" : \"kms:*\",\n \"Resource\" : \"*\"\n } ]\n}",
"bypassPolicyLockoutSafetyCheck": false
},
"responseElements": null,
"requestID": "7bb906fa-dc21-4350-b65c-808ff0f72f55",
"eventID": "c217db1f-903f-4a2f-8f88-9580182d6313",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# ReEncrypt
The following example shows an AWS CloudTrail log entry for the [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) operation. The `resources` field in this log entry specifies two AWS KMS keys, the source KMS key and the destination KMS key, in that order.
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2025-05-22T19:34:55Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ReEncrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"sourceEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"sourceEncryptionContext": {
"Project": "Alpha",
"Department": "Engineering"
},
"destinationKeyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"destinationEncryptionAlgorithm": "SYMMETRIC_DEFAULT",
"destinationEncryptionContext": {
"Level": "3A"
}
},
"responseElements": null,
"additionalEventData": {
"destinationKeyMaterialId": "96083e4fb6dbc41d77578a213a6b6669c044dd4c143e96755396d2bf11fd6068",
"sourceKeyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
},
"requestID": "03769fd4-acf9-4b33-adf3-2ab8ca73aadf",
"eventID": "542d9e04-0e8d-4e05-bf4b-4bdeb032e6ec",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.3",
"cipherSuite": "TLS_AES_256_GCM_SHA384",
"clientProvidedHostHeader": "kms.us-west-2.amazonaws.com"
}
}
```
# ReplicateKey
The following example shows an AWS CloudTrail log entry generated by calling the [ReplicateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReplicateKey.html) operation. A `ReplicateKey` request results in a `ReplicateKey` operation and a [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation.
For information about replicating multi-Region keys, see [Create multi-Region replica keys](multi-region-keys-replicate.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-11-18T01:29:18Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ReplicateKey",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"replicaRegion": "us-west-2",
"bypassPolicyLockoutSafetyCheck": false,
"description": ""
},
"responseElements": {
"replicaKeyMetadata": {
"aWSAccountId": "111122223333",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"creationDate": "Nov 18, 2020, 1:29:18 AM",
"enabled": false,
"description": "",
"keyUsage": "ENCRYPT_DECRYPT",
"keyState": "Creating",
"origin": "AWS_KMS",
"keyManager": "CUSTOMER",
"keySpec": "SYMMETRIC_DEFAULT",
"customerMasterKeySpec": "SYMMETRIC_DEFAULT",
"encryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
],
"multiRegion": true,
"multiRegionConfiguration": {
"multiRegionKeyType": "REPLICA",
"primaryKey": {
"arn": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"region": "us-east-1"
},
"replicaKeys": [
{
"arn": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"region": "us-west-2"
}
]
}
},
"replicaPolicy": "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/Alice\"},\n \"Action\":\"kms:*\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Bob\"},\n \"Action\":\"kms:CreateGrant\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Charlie\"},\n \"Action\":\"kms:Encrypt\",\n \"Resource\":\"*\"\n}]\n}",
},
"requestID": "abcdef68-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "fedcba44-6773-4f96-8763-1993aec9ae6a",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# RetireGrant
The following example shows an AWS CloudTrail log entry generated by calling the [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html) operation. For information about retiring grants, see [Retiring and revoking grants](grant-delete.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-01T19:39:33Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RetireGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"additionalEventData": {
"grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a"
},
"requestID": "1d274d57-5697-462c-a004-f25fcc29fa26",
"eventID": "0771bcfb-3e24-4332-9ac8-e1c06563eecf",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# RevokeGrant
The following example shows an AWS CloudTrail log entry generated by calling the [RevokeGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RevokeGrant.html) operation. For information about revoking grants, see [Retiring and revoking grants](grant-delete.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-01T19:35:17Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RevokeGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a"
},
"responseElements": null,
"requestID": "59d94c03-c5b7-428d-ae6e-f2c4b47d2917",
"eventID": "07a23a39-6526-4ae2-b31e-d35fbe9e24ee",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# RotateKey
These examples show the AWS CloudTrail log entries for the operations that rotate AWS KMS keys. For information about rotating KMS keys, see [Rotate AWS KMS keys](rotate-keys.md).
The following example shows a CloudTrail log entry for the operation that rotates a symmetric encryption KMS key on which automatic key rotation is enabled. For information about enabling automatic rotation, see [Rotate AWS KMS keys](rotate-keys.md).
For an example of the CloudTrail log entry that records the `EnableKeyRotation` operation, see [EnableKeyRotation](ct-enablekeyrotation.md).
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-05-20T20:44:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RotateKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "a24b3967-ddad-417f-9b22-2332b918db06",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"rotationType": "AUTOMATIC",
"keyOrigin": "AWS_KMS",
"previousKeyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0",
"currentKeyMaterialId": "96083e4fb6dbc41d77578a213a6b6669c044dd4c143e96755396d2bf11fd6068",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"eventCategory": "Management"
}
```
The following example shows a CloudTrail log entry for an on-demand rotation initiated by the [RotateKeyOnDemand](https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html) operation. For information about rotating symmetric encryption KMS keys on demand, see [Perform on-demand key rotation](rotating-keys-on-demand.md).
For an example of the CloudTrail log entry that records the `RotateKeyOnDemand` operation, see [RotateKeyOnDemand](ct-rotatekeyondemand.md).
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-05-20T20:44:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RotateKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "a24b3967-ddad-417f-9b22-2332b918db06",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "111122223333",
"serviceEventDetails": {
"rotationType": "ON_DEMAND",
"keyOrigin": "EXTERNAL",
"previousKeyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0",
"currentKeyMaterialId": "96083e4fb6dbc41d77578a213a6b6669c044dd4c143e96755396d2bf11fd6068",
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"eventCategory": "Management"
}
```
# RotateKeyOnDemand
The following example shows an AWS CloudTrail log entry for the [RotateKeyOnDemand](https://docs.aws.amazon.com/kms/latest/APIReference/API_RotateKeyOnDemand.html) operation. For an example of the CloudTrail log entry that is written when the key is rotated, see [RotateKey](ct-rotatekey.md). For more information about on-demand rotation of key material for a KMS key, see [Perform on-demand key rotation](rotating-keys-on-demand.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2024-02-20T17:41:57Z",
"eventSource": "kms.amazonaws.com",
"eventName": "RotateKeyOnDemand",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "9e1dee86-eb84-42fd-8f25-e3fc7dbb32c8",
"eventID": "00a09fbc-20d6-4a58-9b92-7da85984ab77",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES256-GCM-SHA384",
"clientProvidedHostHeader": "kms.us-east-1.amazonaws.com"
}
}
```
# ScheduleKeyDeletion
These examples show AWS CloudTrail log entries for the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) operation.
For an example of the CloudTrail log entry that is written when the key is deleted, see [DeleteKey](ct-delete-key.md). For information about deleting AWS KMS keys, see [Delete an AWS KMS key](deleting-keys.md).
The following example records a `ScheduleKeyDeletion` request for a single-Region KMS key.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-03-23T18:58:30Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ScheduleKeyDeletion",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"pendingWindowInDays": 20,
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"keyState": "PendingDeletion",
"deletionDate": "Apr 12, 2021 18:58:30 PM"
},
"requestID": "ee408f36-ea01-422b-ac14-b0f147c68334",
"eventID": "3c4226b0-1e81-48a8-a333-7fa5f3cbd118",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
The following example records a `ScheduleKeyDeletion` request for a multi-Region KMS key with replica keys.
Because AWS KMS won't delete a multi-Region key until all of its replica keys are deleted, in the `responseElements` field, the `keyState` is `PendingReplicaDeletion` and the `deletionDate` field is omitted.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-28T17:59:05Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ScheduleKeyDeletion",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"pendingWindowInDays": 30,
"keyId": "mrk-1234abcd12ab34cd56ef1234567890ab"
},
"responseElements": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"keyState": "PendingReplicaDeletion",
"pendingWindowInDays": 30
},
"requestID": "12341411-d846-42a6-a476-b1cbe3011f89",
"eventID": "abcda5f-396d-494c-9380-0c47860df5f1",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
The following example records a `ScheduleKeyDeletion` request for a KMS key in an AWS CloudHSM [custom key store](key-store-overview.md#custom-key-store-overview).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-26T23:25:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "ScheduleKeyDeletion",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"pendingWindowInDays": 30
},
"responseElements": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",
"deletionDate": "Nov 2, 2021, 11:25:25 PM",
"keyState": "PendingDeletion",
"pendingWindowInDays": 30
},
"additionalEventData": {
"customKeyStoreId": "cks-1234567890abcdef0",
"clusterId": "cluster-1a23b4cdefg",
"backingKeys": "[{\"backingKeyId\":\"backing-key-id\"}]"
},
"requestID": "abcd9f60-2c9c-4a0b-a456-d5d998f7f321",
"eventID": "ca01996a-01b0-4edd-bbbb-25d7b6d1a6fa",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# Sign
These examples show AWS CloudTrail log entries for the [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) operation.
The following example shows an CloudTrail log entry for a [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) operation that uses an asymmetric RSA KMS key to generate a digital signature for a file.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-03-07T22:36:44Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Sign",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"messageType": "RAW",
"keyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256"
},
"responseElements": null,
"requestID": "8d0b35e0-46cf-48b9-be99-bf2ebc9ab9fb",
"eventID": "107b3cac-b125-4556-9702-12a2b9afcff7",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# SynchronizeMultiRegionKey
The following example shows an AWS CloudTrail log entry generated when AWS KMS synchronizes a [multi-Region key](multi-region-keys-overview.md). Synchronizing involves cross-Region calls to copy the [shared properties](multi-region-keys-overview.md#mrk-sync-properties) of a multi-Region primary key to its replica keys. AWS KMS synchronizes multi-Region keys periodically to assure that all related multi-Region keys have the same key material.
The `resources` element of the CloudTrail log entry includes the key ARN of the multi-Region primary key, including its AWS Region. The related multi-Region replica keys and their Regions are not listed in this log entry.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "111122223333",
"invokedBy": "AWS Internal"
},
"eventTime": "2020-11-18T02:04:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "SynchronizeMultiRegionKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "12345681-de97-42e9-bed0-b02ae1abd8dc",
"eventID": "abcdec99-2b5c-4670-9521-ddb8f031e146",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# TagResource
The following example shows an AWS CloudTrail log entry of a call to the [TagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_TagResource.html) operation to add a tag with a tag key of `Department` and a tag value of `IT`.
For an example of an `UntagResource` CloudTrail log entry that is written when the key is rotated, see [UntagResource](ct-untagresource.md). For information about tagging AWS KMS keys, see [Tags in AWS KMS](tagging-keys.md).
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-01T21:19:25Z",
"eventSource": "kms.amazonaws.com",
"eventName": "TagResource",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"tags": [
{
"tagKey": "Department",
"tagValue": "IT"
}
]
},
"responseElements": null,
"requestID": "b942584a-f77d-4787-9feb-b9c5be6e746d",
"eventID": "0a091b9b-0df5-4cf9-b667-6f2879532b8f",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# UntagResource
The following example shows an AWS CloudTrail log entry of a call to the [UntagResource](https://docs.aws.amazon.com/kms/latest/APIReference/API_UntagResource.html) operation to delete a tag with a tag key of `Dept`.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
For an example of an `TagResource` CloudTrail log entry, see [TagResource](ct-tagresource.md). For information about tagging AWS KMS keys, see [Tags in AWS KMS](tagging-keys.md).
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-07-01T21:19:19Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UntagResource",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"tagKeys": [
"Dept"
]
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "cb1d507b-6015-47f4-812b-179713af8068",
"eventID": "0b00f4b0-036e-411d-aa75-87eb4a35a4b3",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# UpdateAlias
The following example shows an AWS CloudTrail log entry for the [UpdateAlias](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateAlias.html) operation. The `resources` element includes fields for the alias and KMS key resources. For information about creating aliases in AWS KMS, see [Create aliases](alias-create.md).
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2020-11-13T23:18:15Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UpdateAlias",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"aliasName": "alias/my_alias",
"targetKeyId": "1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "d9472f40-63bc-11e4-bc2b-4198b6150d5c",
"eventID": "f72d3993-864f-48d6-8f16-e26e1ae8dff0",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:alias/my_alias"
},
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
# UpdateCustomKeyStore
The following example shows an AWS CloudTrail log entry generated by calling the [https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateCustomKeyStore.html) operation to update the cluster ID for a custom key store. For information about editing custom key stores, see [Edit AWS CloudHSM key store settings](update-keystore.md).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-10-21T20:17:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UpdateCustomKeyStore",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"customKeyStoreId": "cks-1234567890abcdef0",
"clusterId": "cluster-1a23b4cdefg"
},
"responseElements": null,
"additionalEventData": {
"customKeyStoreName": "ExampleKeyStore",
"clusterId": "cluster-1a23b4cdefg"
},
"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9",
"eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333"
}
```
# UpdateKeyDescription
The following example shows an AWS CloudTrail log entry generated by calling the [UpdateKeyDescription](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdateKeyDescription.html) operation.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-09-01T19:22:40Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UpdateKeyDescription",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab",
"description": "New key description"
},
"responseElements": null,
"requestID": "8c3c1f8b-336d-4896-b034-4eb9916bc9b3",
"eventID": "f5f3d548-2e9e-4658-8427-9dcb5b1ea791",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# UpdatePrimaryRegion
The following example shows the AWS CloudTrail log entries that are generated by calling the [UpdatePrimaryRegion](https://docs.aws.amazon.com/kms/latest/APIReference/API_UpdatePrimaryRegion.html) operation on a [multi-Region key](multi-region-keys-overview.md).
The `UpdatePrimaryRegion` operation writes two CloudTrail log entries: one in the Region with the multi-Region primary key that is converted to a replica key, and one in the Region with a multi-Region replica key that is converted to a primary key.
CloudTrail log entries for this operation recorded on or after December 2022 include the key ARN of the affected KMS key in the `responseElements.keyId` value, even though this operation does not return the key ARN.
The following example shows a CloudTrail log entry for `UpdatePrimaryRegion` in the Region where the multi-Region key changed from a primary key to a replica key (us-west-2). The `primaryRegion` field shows the Region that now hosts the primary key (ap-northeast-1).
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2021-03-10T20:23:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UpdatePrimaryRegion",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "mrk-1234abcd12ab34cd56ef1234567890ab",
"primaryRegion": "ap-northeast-1"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "ee408f36-ea01-422b-ac14-b0f147c68334",
"eventID": "3c4226b0-1e81-48a8-a333-7fa5f3cbd118",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
The following example represents the CloudTrail log entry for `UpdatePrimaryRegion` in the Region where the multi-Region key changed from a replica key to a primary key (ap-northeast-1). This log entry doesn't identify the previous primary Region.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice",
"invokedBy": "kms.amazonaws.com"
},
"eventTime": "2021-03-10T20:23:37Z",
"eventSource": "kms.amazonaws.com",
"eventName": "UpdatePrimaryRegion",
"awsRegion": "ap-northeast-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"keyId": "arn:aws:kms:ap-northeast-1:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab",
"primaryRegion": "ap-northeast-1"
},
"responseElements": {
"keyId":"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"requestID": "ee408f36-ea01-422b-ac14-b0f147c68334",
"eventID": "091e6be5-737f-43c6-8431-e3679d6d0619",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"eventCategory": "Management",
"recipientAccountId": "111122223333"
}
```
# VerifyMac
The following example shows an AWS CloudTrail log entry for the [VerifyMac](https://docs.aws.amazon.com/kms/latest/APIReference/API_VerifyMac.html) operation.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-03-31T19:25:54Z",
"eventSource": "kms.amazonaws.com",
"eventName": "VerifyMac",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"macAlgorithm": "HMAC_SHA_384",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": null,
"requestID": "f35da560-edff-4d6e-9b40-fb306fa9ef1e",
"eventID": "6b464487-6dea-44cd-84ad-225d7450c975",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# Verify
These examples show AWS CloudTrail log entries for the [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) operation.
The following example shows an CloudTrail log entry for a [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) operation that uses an asymmetric RSA KMS key to verify a digital signature.
```
{
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2022-03-07T22:50:41Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Verify",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"signingAlgorithm": "RSASSA_PKCS1_V1_5_SHA_256",
"keyId": "0987dcba-09fe-87dc-65ba-ab0987654321",
"messageType": "RAW"
},
"responseElements": null,
"requestID": "c73ab82a-af82-4750-ae2c-b6bb790e9c28",
"eventID": "3b4331cd-5b7b-4de5-bf5f-82ec22f0dac0",
"readOnly": true,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
```
# Amazon EC2 example one
The following example records an IAM principal creating an encrypted volume using the default volume key in the Amazon EC2 management console.
The following example shows a CloudTrail log entry in which user Alice creates an encrypted volume with a default volume key in the Amazon EC2 management console. The EC2 log file record includes a `volumeId` field with a value of `"vol-13439757"`. The AWS KMS record contains an `encryptionContext` field with a value of `"aws:ebs:id": "vol-13439757"`. Similarly, the `principalId` and `accountId` between the two records match. The records reflect the fact that creating an encrypted volume generates a data key that is used to encrypt the volume content.
```
{
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T20:50:18Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateVolume",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"size": "10",
"zone": "us-east-1a",
"volumeType": "gp2",
"encrypted": true
},
"responseElements": {
"volumeId": "vol-13439757",
"size": "10",
"zone": "us-east-1a",
"status": "creating",
"createTime": 1415220618876,
"volumeType": "gp2",
"iops": 30,
"encrypted": true
},
"requestID": "1565210e-73d0-4912-854c-b15ed349e526",
"eventID": "a3447186-135f-4b00-8424-bc41f1a93b4f",
"eventType": "AwsApiCall",
"recipientAccountId": "123456789012"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T20:50:19Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "&AWS; Internal",
"requestParameters": {
"encryptionContext": {
"aws:ebs:id": "vol-13439757"
},
"numberOfBytes": 64,
"keyId": "alias/aws/ebs"
},
"responseElements": null,
"requestID": "create-123456789012-758241111-1415220618",
"eventID": "4bd2a696-d833-48cc-b72c-05e61b608399",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
# Amazon EC2 example two
In the following example, an IAM principal running an Amazon EC2 instance creates and mounts a data volume that is encrypted under a KMS key. This action generates multiple CloudTrail log records. For more information on Amazon EBS and encryption, see [Requirements for Amazon EBS encryption](https://docs.aws.amazon.com/ebs/latest/userguide/ebs-encryption-requirements.html#ebs-encryption-instance-permissions).
When the volume is created, Amazon EC2, acting on behalf of the customer, gets an encrypted data key from AWS KMS (`GenerateDataKeyWithoutPlaintext`). Then it creates a grant (`CreateGrant`) that allows it to decrypt the data key. When the volume is mounted, Amazon EC2 calls AWS KMS to decrypt the data key (`Decrypt`).
The `instanceId` of the Amazon EC2 instance, `"i-81e2f56c"`, appears in the `RunInstances` event. The same instance ID qualifies the `granteePrincipal` of the grant that is created (`"111122223333:aws:ec2-infrastructure:i-81e2f56c"`) and the assumed role that is the principal in the `Decrypt` call (`"arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c"`).
The [key ARN](concepts.md#key-id-key-ARN) of the KMS key that protects the data volume, `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`, appears in all three AWS KMS calls (`CreateGrant`, `GenerateDataKeyWithoutPlaintext`, and `Decrypt`).
```
{
"Records": [
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:27Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "RunInstances",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"instancesSet": {
"items": [
{
"imageId": "ami-b66ed3de",
"minCount": 1,
"maxCount": 1
}
]
},
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2"
}
]
},
"instanceType": "m3.medium",
"blockDeviceMapping": {
"items": [
{
"deviceName": "/dev/xvda",
"ebs": {
"volumeSize": 8,
"deleteOnTermination": true,
"volumeType": "gp2"
}
},
{
"deviceName": "/dev/sdb",
"ebs": {
"volumeSize": 8,
"deleteOnTermination": false,
"volumeType": "gp2",
"encrypted": true
}
}
]
},
"monitoring": {
"enabled": false
},
"disableApiTermination": false,
"instanceInitiatedShutdownBehavior": "stop",
"clientToken": "XdKUT141516171819",
"ebsOptimized": false
},
"responseElements": {
"reservationId": "r-5ebc9f74",
"ownerId": "111122223333",
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2",
"groupName": "launch-wizard-2"
}
]
},
"instancesSet": {
"items": [
{
"instanceId": "i-81e2f56c",
"imageId": "ami-b66ed3de",
"instanceState": {
"code": 0,
"name": "pending"
},
"amiLaunchIndex": 0,
"productCodes": {
},
"instanceType": "m3.medium",
"launchTime": 1415223328000,
"placement": {
"availabilityZone": "us-east-1a",
"tenancy": "default"
},
"monitoring": {
"state": "disabled"
},
"stateReason": {
"code": "pending",
"message": "pending"
},
"architecture": "x86_64",
"rootDeviceType": "ebs",
"rootDeviceName": "/dev/xvda",
"blockDeviceMapping": {
},
"virtualizationType": "hvm",
"hypervisor": "xen",
"clientToken": "XdKUT1415223327917",
"groupSet": {
"items": [
{
"groupId": "sg-98b6e0f2",
"groupName": "launch-wizard-2"
}
]
},
"networkInterfaceSet": {
},
"ebsOptimized": false
}
]
}
},
"requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2",
"eventID": "cd75a605-2fee-4fda-b847-9c3d330ebaae",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:35Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"constraints": {
"encryptionContextSubset": {
"aws:ebs:id": "vol-f67bafb2"
}
},
"granteePrincipal": "111122223333:aws:ec2-infrastructure:i-81e2f56c",
"keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements": {
"grantId": "abcde1237f76e4ba7987489ac329fbfba6ad343d6f7075dbd1ef191f0120514a"
},
"requestID": "41c4b4f7-8bce-4773-bf0e-5ae3bb5cbce2",
"eventID": "c1ad79e3-0d3f-402a-b119-d5c31d7c6a6c",
"readOnly": false,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "IAMUser",
"principalId": "EX_PRINCIPAL_ID",
"arn": "arn:aws:iam::111122223333:user/Alice",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE_KEY_ID",
"userName": "Alice"
},
"eventTime": "2014-11-05T21:35:32Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKeyWithoutPlaintext",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"userAgent": "AWS Internal",
"requestParameters": {
"encryptionContext": {
"aws:ebs:id": "vol-f67bafb2"
},
"numberOfBytes": 64,
"keyId": "alias/aws/ebs"
},
"responseElements": null,
"requestID": "create-111122223333-758247346-1415223332",
"eventID": "ac3cab10-ce93-4953-9d62-0b6e5cba651d",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.02",
"userIdentity": {
"type": "AssumedRole",
"principalId": "111122223333:aws:ec2-infrastructure:i-81e2f56c",
"arn": "arn:aws:sts::111122223333:assumed-role/aws:ec2-infrastructure/i-81e2f56c",
"accountId": "111122223333",
"accessKeyId": "",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2014-11-05T21:35:38Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "111122223333:aws:ec2-infrastructure",
"arn": "arn:aws:iam::111122223333:role/aws:ec2-infrastructure",
"accountId": "111122223333",
"userName": "aws:ec2-infrastructure"
}
}
},
"eventTime": "2014-11-05T21:35:47Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-east-1",
"sourceIPAddress": "192.0.2.0",
"requestParameters": {
"encryptionContext": {
"aws:ebs:id": "vol-f67bafb2"
}
},
"responseElements": null,
"requestID": "b4b27883-6533-11e4-b4d9-751f1761e9e5",
"eventID": "edb65380-0a3e-4123-bbc8-3d1b7cff49b0",
"readOnly": true,
"resources": [
{
"ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
"accountId": "111122223333"
}
],
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}
```
# Monitor KMS keys with Amazon CloudWatch
You can monitor your AWS KMS keys using [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/), an AWS service that collects and processes raw data from AWS KMS into readable, near real-time metrics. These data are recorded for a period of two weeks so that you can access historical information and gain a better understanding of the usage of your KMS keys and their changes over time.
You can use Amazon CloudWatch to alert you to important events, such as the following ones.
+ The imported key material in a KMS key is nearing its expiration date.
+ A KMS key that is pending deletion is still being used.
+ The key material in a KMS key was automatically rotated.
+ A KMS key was deleted.
You can also create an [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/) alarm that alerts you when your request rate reaches a certain percentage of a quota value. For details, see [Manage your AWS KMS API request rates using Service Quotas and Amazon CloudWatch](https://aws.amazon.com/blogs/security/manage-your-aws-kms-api-request-rates-using-service-quotas-and-amazon-cloudwatch/) in the *AWS Security Blog*.
## AWS KMS metrics and dimensions
AWS KMS predefines Amazon CloudWatch metrics to make it easier for you to monitor critical data and create alarms. You can view the AWS KMS metrics using the AWS Management Console and the Amazon CloudWatch API.
This section lists each AWS KMS metrics and the dimensions for each metric, and provides some basic guidance for creating CloudWatch alarms based on these metrics and dimensions.
**Note**
**Dimension group name**:
To view a metric in the Amazon CloudWatch console, in the **Metrics** section, select the dimension group name. Then you can filter by the **Metric name**. This topic includes the metric name and dimension group name for each AWS KMS metric.
You can view AWS KMS metrics using the AWS Management Console and the Amazon CloudWatch API. For more information, see [View available metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/viewing_metrics_with_cloudwatch.html) in the *Amazon CloudWatch User Guide*.
**Topics**
+ [SuccessfulRequest](#key-level-api-usage-metric)
+ [SecondsUntilKeyMaterialExpiration](#key-material-expiration-metric)
+ [CloudHSMKeyStoreThrottle](#metric-throttling-cloudhsm)
+ [ExternalKeyStoreThrottle](#metric-throttling)
+ [XksProxyCertificateDaysToExpire](#metric-xks-proxy-certificate-days-to-expire)
+ [XksProxyCredentialAge](#metric-xks-proxy-credential-age)
+ [XksProxyErrors](#metric-xks-proxy-errors)
+ [XksExternalKeyManagerStates](#metric-xks-ekm-states)
+ [XksProxyLatency](#metric-xks-proxy-latency)
### SuccessfulRequest
The number of successful requests for cryptographic operations on a specific KMS key. By using the `SuccessfulRequest` metric, you can apply key-level filtering to AWS KMS API usage in CloudWatch. The `Sum` statistic for this metric defines the total number of successful requests during the period.
Use this metric to identify which KMS keys consume the largest portion of your request quota or contribute the most to API charges. You can also create a CloudWatch alarm based on the `SuccesfulRequest` metric to notify you of anomalous AWS KMS API usage patterns. These alerts can help identify inefficient workflows that might unintentionally exceed your request quotas or incur unexpected charges.
**Dimensions for `SuccessfulRequest`**
| Dimension | Description |
| --- | --- |
| KeyArn | Value for each KMS key. |
| Operation | Value for each AWS KMS API operation. This metric applies only to cryptographic operations. |
For [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html) operations, the `SuccessfulRequest` metric includes dimensions for both the source and destination KMS keys.
| Dimension | Description |
| --- | --- |
| SourceKeyArn | Value for the KMS key that decrypted the ciphertext. |
| DestinationKeyArn | Value for the KMS key that re-encrypted the data. |
| Operation | Value for each AWS KMS API operation, in this case, ReEncrypt. |
### SecondsUntilKeyMaterialExpiration
The number of seconds remaining until the earliest-expiring [imported key material](importing-keys.md) in a KMS key. This metric is valid only for KMS keys with imported key material (a [key material origin](create-keys.md#key-origin) of `EXTERNAL`) and an expiration date.
Use this metric to track how much time is left before your earliest-expiring imported key material expires. When that time falls below a threshold that you define, you should reimport the key material with a new expiration date to keep the KMS key usable. The `SecondsUntilKeyMaterialExpiration` metric is specific to a KMS key. You cannot use this metric to monitor multiple KMS keys or KMS keys that you might create in the future. For help with creating a CloudWatch alarm to monitor this metric, see [Create a CloudWatch alarm for expiration of imported key material](imported-key-material-expiration-alarm.md).
The most useful statistic for this metric is `Minimum`, which tells you the smallest amount of time remaining for all data points in the specified statistical period. The only valid unit for this metric is `Seconds`.
**Dimension group name**: **Per-Key Metrics**
**Dimensions for `SecondsUntilKeyMaterialExpiration`**
| Dimension | Description; related to AWS |
| --- | --- |
| KeyId | Value for each KMS key. |
When you [schedule deletion](deleting-keys.md) of a KMS key, AWS KMS enforces a waiting period before deleting the KMS key. You can use the waiting period to ensure that you don't need the KMS key now or in the future. You can also configure a CloudWatch alarm to warn you if a person or application attempts to use the KMS key in a [cryptographic operation](kms-cryptography.md#cryptographic-operations) during the waiting period. If you receive a notification from such an alarm, you might want to cancel deletion of the KMS key.
For instructions, see [Create an alarm that detects use of a KMS key pending deletion](deleting-keys-creating-cloudwatch-alarm.md).
### CloudHSMKeyStoreThrottle
The number of requests for cryptographic operations on KMS keys in each AWS CloudHSM key store that AWS KMS throttles (responds with a `ThrottlingException`). This metric applies only to AWS CloudHSM key stores.
The `CloudHSMKeyStoreThrottle` metric applies only to KMS keys in an AWS CloudHSM key store and only to requests for [ cryptographic operations](kms-cryptography.md#cryptographic-operations). AWS KMS [throttles these requests](throttling.md) when the request rate exceeds the [custom key store request quota ](requests-per-second.md#rps-key-stores) for your AWS CloudHSM key store. This metric also includes throttling by the AWS CloudHSM cluster.
**Dimension group name**: **Keystore Throttle Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each AWS CloudHSM key store. |
| KmsOperation | Value for each AWS KMS API operation. This metric applies only to cryptographic operations on KMS keys in an AWS CloudHSM key store. |
| KeySpec | Value for each type of KMS key. The only supported [key spec](create-keys.md#key-spec) for KMS keys in an AWS CloudHSM key store is SYMMETRIC\$1DEFAULT. |
### ExternalKeyStoreThrottle
The number of requests for cryptographic operations on KMS keys in each external key store that AWS KMS throttles (responds with a `ThrottlingException`). This metric applies only to [external key stores](keystore-external.md).
The `ExternalKeyStoreThrottle` metric applies only to KMS keys in an external key store and only to requests for [cryptographic operations](kms-cryptography.md#cryptographic-operations). AWS KMS [throttles these requests](throttling.md) when the request rate exceeds the [custom key store request quota](requests-per-second.md#rps-key-stores) for your external key store. This metric does not include throttling by your external key store proxy or external key manager.
Use this metric to review and adjust the value of your custom key store request quota. If this metric indicates that AWS KMS is frequently throttling your requests for these KMS keys, you might consider requesting an increase in your custom key store request quota value. For help, see [Requesting a quota increase](https://docs.aws.amazon.com/servicequotas/latest/userguide/request-quota-increase.html) in the *Service Quotas User Guide*.
If you are getting very frequent `KMSInvalidStateException` errors with a message that explains that the request was rejected "due to a very high request rate" or the request was rejected "because the external key store proxy did not respond in time," it might indicate that your external key manager or external key store proxy cannot keep pace with the current request rate. If possible, lower your request rate. You might also consider requesting a decrease in your custom key store request quota value. Decreasing this quota value might increase throttling (and the `ExternalKeyStoreThrottle` metric value), but it indicates that AWS KMS is rejecting excess requests quickly before they are sent to your external key store proxy or external key manager. To request a quota decrease, please visit the [AWS Support Center](https://console.aws.amazon.com/support/home) and create a case.
**Dimension group name**: **Keystore Throttle Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each AWS KMS API operation. This metric applies only to cryptographic operations on KMS keys in an external key store. |
| KeySpec | Value for each type of KMS key. The only supported [key spec](create-keys.md#key-spec) for KMS keys in an external key store is SYMMETRIC\$1DEFAULT. |
### XksProxyCertificateDaysToExpire
The number of days until the TLS certificate for your [external key store proxy endpoint](create-xks-keystore.md#require-endpoint) (`XksProxyUriEndpoint`) expires. This metric applies only to [external key stores](keystore-external.md).
Use this metric to create a CloudWatch alarm that notifies you about the upcoming expiration of your TLS certificate. When the certificate expires, AWS KMS cannot communicate with the external key store proxy. All data protected by KMS keys in your external key store becomes inaccessible until you renew the certificate.
A certificate alarm prevents certificate expiration that might prevent you from accessing your encrypted resources. Set the alarm to give your organization time to renew the certificate before it expires.
**Dimension group name**: **XKS Proxy Certificate Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
| CertificateName | Subject name (CN) in the TLS certificate. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see [Monitor external key stores](xks-monitoring.md).
### XksProxyCredentialAge
The number of days since the current external key store [proxy authentication credential](keystore-external.md#concept-xks-credential) (`XksProxyAuthenticationCredential`) was associated with the external key store. This count begins when you enter the authentication credential as part of creating or updating your external key store. This metric applies only to [external key stores](keystore-external.md).
This value is designed to remind you about the age of your authentication credential. However, because we begin the count when you associate the credential with your external key store, not when you create your authentication credential on your external key store proxy, this might not be an accurate indicator of the credential age on the proxy.
Use this metric to create a CloudWatch alarm that reminds you to rotate your external key store proxy authentication credential.
**Dimension group name**: **Per-Keystore Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see [Monitor external key stores](xks-monitoring.md).
### XksProxyErrors
The number of exceptions related to AWS KMS requests to your [external key store proxy](keystore-external.md#concept-xks-proxy). This count includes exceptions that the external key store proxy returns to AWS KMS and timeout errors that occur when the external key store proxy does not respond to AWS KMS within the 250 millisecond timeout interval. This metric applies only to [external key stores](keystore-external.md).
Use this metric to track the error rate of KMS keys in your external key store. It reveals the most frequent errors, so you can prioritize your engineering effort. For example, KMS keys that are generating high rates of non-retryable errors might indicate a problem with the configuration of your external key store. To view your external key store configuration, see [View external key stores](view-xks-keystore.md). To edit your external key store settings, see [Edit external key store properties](update-xks-keystore.md).
**Dimension group name**: **XKS Proxy Error Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each AWS KMS API operation that generated a request to the XKS proxy. |
| XksOperation | Value for each [external key store proxy API operation](keystore-external.md#concept-proxy-apis). |
| KeySpec | Value for each type of KMS key. The only supported [key spec](create-keys.md#key-spec) for KMS keys in an external key store is SYMMETRIC\$1DEFAULT. |
| ErrorType | Values:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html) |
| ExceptionName | Values: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/kms/latest/developerguide/monitoring-cloudwatch.html) |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see [Monitor external key stores](xks-monitoring.md).
### XksExternalKeyManagerStates
A count of the number of [external key manager instances](keystore-external.md#concept-ekm) in each of the following health states: `Active`, `Degraded`, and `Unavailable`. The information for this metric comes from the external key store proxy associated with each external key store. This metric applies only to [external key stores](keystore-external.md).
The following are the health states for the external key manager instances associated with an external key store. Each external key store proxy might use different indicators to measure the health states of your external key manager. For details, see the documentation for your external key store proxy.
+ `Active`: The external key manager is healthy.
+ `Degraded`: The external key manager is unhealthy, but can still serve traffic
+ `Unavailable`: The external key manager cannot serve traffic.
Use this metric to create a CloudWatch alarm that alerts you to degraded and unavailable external key manager instances. To determine which external key manager instances are in each state, consult your external key store proxy logs.
**Dimension group name**: **XKS External Key Manager Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
| XksExternalKeyManagerState | Value for each health state. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see [Monitor external key stores](xks-monitoring.md).
### XksProxyLatency
The number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request. If the request timed out, the recorded value is the 250 millisecond timeout limit. This metric applies only to [external key stores](keystore-external.md).
Use this metric to evaluate the performance of your external key store proxy and external key manager. For example, if the proxy is frequently timing out on encryption and decryption operations, consult your external proxy administrator.
Slow responses might also indicate that your external key manager cannot handle the current request traffic. AWS KMS recommends that your external key manager be able to handle up to 1800 requests for cryptographic operations per second. If your external key manager cannot handle the 1800 requests per second rate, consider requesting a decrease in your [request quota for KMS keys in a custom key store](requests-per-second.md#rps-key-stores). Requests for cryptographic operations using the KMS keys in your external key store will fail fast with a [throttling exception](throttling.md), rather than being processed and later rejected by your external key store proxy or external key manager.
**Dimension group name**: **XKS Proxy Latency Metrics**
| Dimension | Description |
| --- | --- |
| CustomKeyStoreId | Value for each external key store. |
| KmsOperation | Value for each AWS KMS API operation that generated a request to the XKS proxy. |
| XksOperation | Value for each [external key store proxy API operation](keystore-external.md#concept-proxy-apis). |
| KeySpec | Value for each type of KMS key. The only supported [key spec](create-keys.md#key-spec) for KMS keys in an external key store is SYMMETRIC\$1DEFAULT. |
You can create CloudWatch alarms based on the metrics for external key stores and KMS keys in external key stores. For instructions, see [Monitor external key stores](xks-monitoring.md).
# Create a CloudWatch alarm for expiration of imported key material
You can create a CloudWatch alarm that notifies you when the imported key material in a KMS key is approaching its expiration time. For example, the alarm can notify you when the time to expire is less than 30 days away.
When you [import key material into a KMS key](importing-keys.md), you can optionally specify a date and time when the key material expires. When the key material expires, AWS KMS deletes the key material and the KMS key becomes unusable. To use the KMS key again, you must [reimport the key material](importing-keys-import-key-material.md#reimport-key-material). However, if you reimport the key material before it expires, you can avoid disrupting processes that use that KMS key.
This alarm uses the [`SecondsUntilKeyMaterialExpires` metric](monitoring-cloudwatch.md#key-material-expiration-metric) that AWS KMS publishes to CloudWatch for KMS keys with imported key material that expires. Each alarm uses this metric to monitor the imported key material for a particular KMS key. You cannot create a single alarm for all KMS keys with expiring key material or an alarm for KMS keys that you might create in the future.
**Requirements**
The following resources are required for a CloudWatch alarm that monitors the expiration of imported key material.
+ A KMS key with imported key material that expires.
+ An Amazon SNS topic. For details, see [Creating an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) in the *Amazon CloudWatch User Guide*.
**Create the alarm**
Follow the instructions in [Create a CloudWatch alarm based on a static threshold](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
| --- | --- |
| Select metric | Choose **KMS**, then choose **Per-Key Metrics**. Choose the row with the KMS key and the `SecondsUntilKeyMaterialExpires` metric. Then choose **Select metric**. The **Metrics** list displays the `SecondsUntilKeyMaterialExpires` metric only for KMS keys with imported key material that expires. If you don't have KMS keys with these properties in the account and Region, this list is empty. |
| Statistic | Minimum |
| Period | 1 minute |
| Threshold type | Static |
| Whenever ... | Whenever metric-name is Greater than 1 |
# Create CloudWatch alarms for external key stores
You can create Amazon CloudWatch alarms based on external key store metrics to notify you when a metric value exceeds a threshold you specified. The alarm can send the message to an [Amazon Simple Notification Service (Amazon SNS) topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) or an [Amazon EC2 Auto Scaling policy](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-scale-based-on-demand.html#as-how-scaling-policies-work). For detailed information about CloudWatch alarms, see [Using Amazon CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) in the *Amazon CloudWatch User Guide*.
Before creating an Amazon CloudWatch alarm, you need an Amazon SNS topic. For details, see [Creating an Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/sns-create-topic.html) in the *Amazon CloudWatch User Guide*.
**Topics**
+ [Create an alarm for certificate expiration](#cert-expire-alarm)
+ [Create an alarm for response timeout](#latency-alarm)
+ [Create an alarm for retryable errors](#retryable-errors-alarm)
+ [Create an alarm for non-retryable errors](#nonretryable-errors-alarm)
## Create an alarm for certificate expiration
This alarm uses the [XksProxyCertificateDaysToExpire](monitoring-cloudwatch.md#metric-xks-proxy-certificate-days-to-expire) metric that AWS KMS publishes to CloudWatch to record the anticipated expiration of the TLS certificate associated with your external key store proxy endpoint. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
We recommend setting the alarm to alert you 10 days before your certificate is set to expire, but you should set the threshold that best fits your needs.
**Create the alarm**
Follow the instructions in [Create a CloudWatch alarm based on a static threshold](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
| --- | --- |
| Select metric | Choose **KMS**, then choose **XKS Proxy Certificate Metrics**. Select the check box next to the `XksProxyCertificateName` that you want to monitor. Then choose **Select metric**. |
| Statistic | Minimum |
| Period | 5 minutes |
| Threshold type | Static |
| Whenever ... | Whenever XksProxyCertificateDaysToExpire is Lower than 10. |
## Create an alarm for response timeout
This alarm uses the [XksProxyLatency](monitoring-cloudwatch.md#metric-xks-proxy-latency) metric that AWS KMS publishes to CloudWatch to record the number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
AWS KMS expects the external key store proxy to respond to each request within 250 milliseconds. We recommend setting an alarm to alert you when your external key store proxy takes longer than 200 milliseconds to respond, but you should set the threshold that best fits your needs.
**Create the alarm**
Follow the instructions in [Create a CloudWatch alarm based on a static threshold](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
| --- | --- |
| Select metric | Choose **KMS**, then choose **XKS Proxy Latency Metrics**. Select the check box next to the `KmsOperation` that you want to monitor. Then choose **Select metric**. |
| Statistic | Average |
| Period | 5 minutes |
| Threshold type | Static |
| Whenever ... | Whenever XksProxyLatency is Greater than 200. |
## Create an alarm for retryable errors
This alarm uses the [XksProxyErrors](monitoring-cloudwatch.md#metric-xks-proxy-errors) metric that AWS KMS publishes to CloudWatch to record the number of exceptions related to AWS KMS requests to your external key store proxy. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
Retryable errors will lower your reliability percentage and can indicate networking errors. We recommend setting an alarm to alert you when more than five retryable errors are recorded in a one minute period, but you should set the threshold that best fits your needs.
Follow the instructions in [Create a CloudWatch alarm based on a static threshold](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
| --- | --- |
| Select metric | Choose the **Query** tab. Choose `AWS/KMS` for **Namespace**. Enter `SUM(XksProxyErrors)` for **Metric name**. Enter `ErrorType = Retryable` for **Filter by**. Choose **Run**. Then choose **Select metric**. |
| Label | Retryable errors |
| Period | 1 minute |
| Threshold type | Static |
| Whenever ... | Whenever q1 is Greater than 5. |
## Create an alarm for non-retryable errors
This alarm uses the [XksProxyErrors](monitoring-cloudwatch.md#metric-xks-proxy-errors) metric that AWS KMS publishes to CloudWatch to record the number of exceptions related to AWS KMS requests to your external key store proxy. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
Non-retryable errors can indicate a problem with the configuration of your external key store. We recommend setting an alarm to alert you when more than five non-retryable errors are recorded in a one minute period, but you should set the threshold that best fits your needs.
Follow the instructions in [Create a CloudWatch alarm based on a static threshold](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/ConsoleAlarms.html) using the following required values. For other fields, accept the default values and provide names as requested.
| Field | Value |
| --- | --- |
| Select metric | Choose the **Query** tab. Choose `AWS/KMS` for **Namespace**. Enter `SUM(XksProxyErrors)` for **Metric name**. Enter `ErrorType = Non-retryable` for **Filter by**. Choose **Run**. Then choose **Select metric**. |
| Label | Non-retryable errors |
| Period | 1 minute |
| Threshold type | Static |
| Whenever ... | Whenever q1 is Greater than 5. |
# Monitor KMS keys with Amazon EventBridge
You can use Amazon EventBridge (formerly Amazon CloudWatch Events) to alert you to the following important events in the lifecycle of your KMS keys.
+ The key material in a KMS key was rotated automatically or on-demand.
+ The imported key material in a KMS key expired.
+ A KMS key that had been scheduled for deletion was deleted.
AWS KMS integrates with Amazon EventBridge to notify you of important events that affect your KMS keys. Each event is represented in [JSON (JavaScript Object Notation)](http://json.org) and includes the event name, the date and time when the event occurred, and the affected. You can collect these events and establish rules that route them to one or more *targets* such as AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, streams in Amazon Kinesis Data Streams, or built-in targets.
For more information about using EventBridge with other kinds of events, including those emitted by AWS CloudTrail when it records a read/write API request, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
The following topics describe the EventBridge events that AWS KMS generates.
## KMS CMK Rotation
AWS KMS supports [automatic and on-demand rotation](rotate-keys.md) of the key material in symmetric encryption KMS keys.
Whenever AWS KMS rotates key material, it sends a `KMS CMK Rotation` event to EventBridge. AWS KMS generates this event on a best-effort basis.
The following is an example of this event.
```
{
"version": "0",
"id": "6a7e8feb-b491-4cf7-a9f1-bf3703467718",
"detail-type": "KMS CMK Rotation",
"source": "aws.kms",
"account": "111122223333",
"time": "2025-05-23T03:11:54Z",
"region": "us-west-2",
"resources": [
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
],
"detail": {
"key-id": "1234abcd-12ab-34cd-56ef-1234567890ab",
"key-origin": "AWS_KMS",
"rotation-type": "ON_DEMAND",
"previous-key-material-id": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0",
"current-key-material-id": "96083e4fb6dbc41d77578a213a6b6669c044dd4c143e96755396d2bf11fd6068"
}
}
```
## KMS Imported Key Material Expiration
When you [import key material into a KMS key](importing-keys.md), you can optionally specify a time at which the key material expires. When the key material expires, AWS KMS deletes the key material and sends a corresponding `KMS Imported Key Material Expiration` event to EventBridge. AWS KMS generates this event on a best-effort basis.
The following is an example of this event.
```
{
"version": "0",
"id": "9da9af57-9253-4406-87cb-7cc400e43465",
"detail-type": "KMS Imported Key Material Expiration",
"source": "aws.kms",
"account": "111122223333",
"time": "2025-05-23T03:11:54Z",
"region": "us-west-2",
"resources": [
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
],
"detail": {
"key-id": "1234abcd-12ab-34cd-56ef-1234567890ab",
"key-material-id": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0"
}
}
```
## KMS CMK Deletion
When you [schedule deletion](deleting-keys.md) of a KMS key, AWS KMS enforces a waiting period before deleting the KMS key. After the waiting period ends, AWS KMS deletes the KMS key and sends a `KMS CMK Deletion` event to EventBridge. AWS KMS guarantees this EventBridge event. Due to retries, it might generate multiple events within a few seconds that delete the same KMS key.
The following is an example of this event.
```
{
"version": "0",
"id": "e9ce3425-7d22-412a-a699-e7a5fc3fbc9a",
"detail-type": "KMS CMK Deletion",
"source": "aws.kms",
"account": "111122223333",
"time": "2025-05-23T03:11:54Z",
"region": "us-west-2",
"resources": [
"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
],
"detail": {
"key-id": "1234abcd-12ab-34cd-56ef-1234567890ab"
}
}
```