Excluding AWS KMS events from a trail - AWS Key Management Service

Most AWS KMS users rely on the events in a CloudTrail trail to provide a record of the use and

management of their AWS KMS resources. The trail can be an valuable source of data for auditing critical events, such as creating, disabling, and deleting AWS KMS keys, changing key policy, and the use of your KMS keys by AWS services on your behalf. In some cases, the metadata in a CloudTrail log entry, such as the encryption context (p. 18) in an encryption operation, can help you to avoid or resolve errors.

However, because AWS KMS can generate a large number of events, AWS CloudTrail lets you exclude AWS KMS events from a trail. This per-trail setting excludes all AWS KMS events; you cannot exclude particular AWS KMS events.

Warning

Excluding AWS KMS events from a CloudTrail Log can obscure actions that use your KMS keys.

Be cautious when giving principals the cloudtrail:PutEventSelectors permission that is required to perform this operation.

To exclude AWS KMS events from a trail:

• In the CloudTrail console, use the Log Key Management Service events setting when you create a trail or update a trail. For instructions, see Logging Management Events with the AWS Management Console in the AWS CloudTrail User Guide.

• In the CloudTrail API, use the PutEventSelectors operation. Add the

ExcludeManagementEventSources attribute to your event selectors with a value of

kms.amazonaws.com. For an example, see Example: A trail that does not log AWS Key Management Service events in the AWS CloudTrail User Guide.

You can disable this exclusion at any time by changing the console setting or the event selectors for a trail. The trail will then start recording AWS KMS events. However, it cannot recover AWS KMS events that occurred while the exclusion was eﬀective.

When you exclude AWS KMS events by using the console or API, the resulting CloudTrail PutEventSelectors API operation is also logged in your CloudTrail Logs. If AWS KMS events don't appear in your CloudTrail Logs, look for a PutEventSelectors event with the ExcludeManagementEventSources attribute set to kms.amazonaws.com.

Examples of AWS KMS log entries

AWS KMS writes entries to your CloudTrail log when you call an AWS KMS operation and when an AWS service calls an operation on your behalf. AWS KMS also writes an entry when it calls an operation for you. For example, it writes an entry when it deletes a KMS key (p. 94) that you scheduled for deletion.

Logging with AWS CloudTrail

The following topics display examples of CloudTrail log entries for AWS KMS operations.

Topics

• CancelKeyDeletion (p. 84)

• ConnectCustomKeyStore (p. 84)

• CreateAlias (p. 85)

• CreateCustomKeyStore (p. 86)

• CreateGrant (p. 86)

• CreateKey (p. 87)

• Decrypt (p. 89)

• Decrypt (from an enclave) (p. 91)

• DeleteAlias (p. 92)

• DeleteCustomKeyStore (p. 93)

• DeleteExpiredKeyMaterial (p. 93)

• DeleteKey (p. 94)

• DescribeCustomKeyStores (p. 95)

• DescribeKey (p. 96)

• DisableKey (p. 97)

• DisconnectCustomKeyStore (p. 98)

• EnableKey (p. 98)

• EnableKeyRotation (p. 99)

• Encrypt (p. 100)

• GenerateDataKey (p. 100)

• GenerateDataKey (from an enclave) (p. 101)

• GenerateDataKeyPair (p. 102)

• GenerateDataKeyPairWithoutPlaintext (p. 103)

• GenerateDataKeyWithoutPlaintext (p. 103)

• GenerateRandom (p. 104)

• GenerateRandom (from an enclave) (p. 105)

• GetKeyPolicy (p. 106)

• GetParametersForImport (p. 106)

• ImportKeyMaterial (p. 107)

• ListAliases (p. 108)

• ListGrants (p. 108)

• ReEncrypt (p. 109)

• ReplicateKey (p. 110)

• RotateKey (p. 111)

• ScheduleKeyDeletion (p. 112)

• SynchronizeMultiRegionKey (p. 114)

• TagResource (p. 115)

• UntagResource (p. 116)

• UpdateAlias (p. 117)

• UpdateCustomKeyStore (p. 117)

• UpdatePrimaryRegion (p. 118)

• Amazon EC2 example one (p. 119)

• Amazon EC2 example two (p. 121)

Logging with AWS CloudTrail

CancelKeyDeletion

The following example shows an AWS CloudTrail log entry generated by calling the CancelKeyDeletion operation. For information about deleting AWS KMS keys, see Deleting AWS KMS keys (p. 132).

{ "eventVersion": "1.05", "userIdentity": {

"eventTime": "2020-07-27T21:53:17Z", "eventSource": "kms.amazonaws.com", "eventName": "CancelKeyDeletion", "awsRegion": "us-west-2",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": {

"keyId":

"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

"requestID": "e3452e68-d4b0-4ec7-a768-7ae96c23764f", "eventID": "d818bf03-6655-48e9-8b26-f279a07075fd", "readOnly": false,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

ConnectCustomKeyStore

The following example shows an AWS CloudTrail log entry generated by calling the

ConnectCustomKeyStore operation. For information about connecting a custom key store, see Connecting and disconnecting a custom key store (p. 381).

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-21T20:17:32Z", "eventSource": "kms.amazonaws.com", "eventName": "ConnectCustomKeyStore", "awsRegion": "us-east-1",

Logging with AWS CloudTrail

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"customKeyStoreId": "cks-1234567890abcdef0"

"responseElements": null, "additionalEventData": {

"customKeyStoreName": "ExampleKeyStore", "clusterId": "cluster-1a23b4cdefg"

"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9", "eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5", "readOnly": false,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333"

}

CreateAlias

The following example shows an AWS CloudTrail log entry for the CreateAlias operation. The resources element includes ﬁelds for the alias and KMS key resources. For information about creating aliases in AWS KMS, see Creating an alias (p. 29).

{ "Records": [

"eventTime": "2014-11-04T00:52:27Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateAlias",

"requestID": "d9472f40-63bc-11e4-bc2b-4198b6150d5c", "eventID": "f72d3993-864f-48d6-8f16-e26e1ae8dff0", "readOnly": false,

"ARN": "arn:aws:kms:us-east-1:123456789012:alias/my_alias",

Logging with AWS CloudTrail

"accountId": "111122223333"

}],

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

} ] }

CreateCustomKeyStore

The following example shows an AWS CloudTrail log entry generated by calling the

CreateCustomKeyStore operation. For information about creating custom key stores, see Creating a custom key store (p. 374).

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-21T20:17:32Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateCustomKeyStore", "awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"customKeyStoreName": "ExampleKeyStore", "clusterId": "cluster-1a23b4cdefg"

"responseElements": {

"customKeyStoreId": "cks-1234567890abcdef0"

"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9", "eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5", "readOnly": false,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333"

}

CreateGrant

The following example shows an AWS CloudTrail log entry for the CreateGrant operation. For information about creating grants in AWS KMS, see Grants in AWS KMS (p. 180).

{ "Records": [

Logging with AWS CloudTrail

"eventTime": "2014-11-04T00:53:12Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant",

"grantId": "f020fe75197b93991dc8491d6f19dd3cebb24ee62277a05914386724f3d48758"

"requestID": "f3c08808-63bc-11e4-bc2b-4198b6150d5c", "eventID": "5d529779-2d27-42b5-92da-91aaea1fc4b5", "readOnly": false,

"recipientAccountId": "111122223333"

} ]}

CreateKey

These examples show AWS CloudTrail log entries for the CreateKey operation.

A CreateKey log entry can result from a CreateKey request or the CreateKey operation for a ReplicateKey request.

The following example shows an CloudTrail log entry for a CreateKey operation that creates a symmetric KMS key (p. 5). For information about creating KMS keys, see Creating keys (p. 22).

{ "Records": [

"eventTime": "2020-06-30T02:34:07Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateKey",

"awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

Logging with AWS CloudTrail

"policy": "{\n \"Version\":\"2012-10-17\",\n \"Statement\":[{\n \"Effect

\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::123456789012:user/Alice\"},\n \"Action\":\"kms:*\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Bob\"},\n \"Action\":

\"kms:CreateGrant\",\n \"Resource\":\"*\"\n }, {\n \"Effect\":\"Allow\",\n \"Principal\":{\"AWS\":\"arn:aws:iam::012345678901:user/Charlie\"},\n \"Action\":

\"kms:Encrypt\",\n \"Resource\":\"*\"\n}]\n}", "description": "",

"keyUsage": "ENCRYPT_DECRYPT",

"customerMasterKeySpec": "SYMMETRIC_DEFAULT", "origin": "AWS_KMS",

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "arn":

"customerMasterKeySpec": "SYMMETRIC_DEFAULT", "encryptionAlgorithms": [

"SYMMETRIC_DEFAULT"

"multiRegion": false },

"requestID": "ebe8ee68-63bc-11e4-bc2b-4198b6150d5c", "eventID": "ba116326-1792-4784-87dd-a688d1cb42ec", "readOnly": false,

"recipientAccountId": "111122223333"

} ]}

The following example shows the CloudTrail log of a CreateKey operation that creates a symmetric KMS key in an AWS CloudHSM custom key store (p. 367).

{

"eventVersion": "1.08", "userIdentity": {

"eventTime": "2021-10-14T17:39:50Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateKey",

"awsRegion": "us-west-2",

Logging with AWS CloudTrail

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyUsage": "ENCRYPT_DECRYPT",

"bypassPolicyLockoutSafetyCheck": false, "origin": "AWS_CLOUDHSM",

"keySpec": "SYMMETRIC_DEFAULT",

"customerMasterKeySpec": "SYMMETRIC_DEFAULT", "customKeyStoreId": "cks-1234567890abcdef0", "description": ""

"responseElements": { "keyMetadata": {

"aWSAccountId": "111122223333",

"keyId": "0987dcba-09fe-87dc-65ba-ab0987654321",

"arn": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",

"customKeyStoreId": "cks-1234567890abcdef0", "cloudHsmClusterId": "cluster-1a23b4cdefg", "keyManager": "CUSTOMER",

"customerMasterKeySpec": "SYMMETRIC_DEFAULT", "keySpec": "SYMMETRIC_DEFAULT",

"additionalEventData": {

"backingKey": "{\"keyHandle\":\"19\",\"backingKeyId\":\"backing-key-id\"}"

"requestID": "4f0b185c-588c-4767-9e90-c618f7e13cad", "eventID": "c73964b8-703d-49e4-bd9e-f773d0ee1e65", "readOnly": false,

"resources": [ {

"accountId": "111122223333", "type": "AWS::KMS::Key",

"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321"

} ],

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333", "eventCategory": "Management"

}

Decrypt

These examples show AWS CloudTrail log entries for the Decrypt operation.

The CloudTrail log entry for a Decrypt operation always includes the encryptionAlgorithm in the requestParameters even if the encryption algorithm wasn't speciﬁed in the request. The ciphertext in the request and the plaintext in the response are omitted.

{ "eventVersion": "1.05",

Logging with AWS CloudTrail

"userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt",

"awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId":

"responseElements": null,

"requestID": "12345126-30d5-4b28-98b9-9153da559963", "eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

The following example CloudTrail log entry records a Decrypt operation with a KMS key in an AWS CloudHSM custom key store (p. 367). All log entries for cryptographic operations with a KMS key in a custom key store include an additionalEventData ﬁeld with the customKeyStoreId. This value isn't speciﬁed in the request.

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-26T23:41:27Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt",

"awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "requestParameters": {

"encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId":

"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": {

Logging with AWS CloudTrail

"Department": "Development", "Purpose": "Test"

} },

"responseElements": null, "additionalEventData": {

"customKeyStoreId": "cks-1234567890abcdef0"

"requestID": "e1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "a79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333", "eventCategory": "Management"

}

Decrypt (from an enclave)

The following example shows an AWS CloudTrail log entry for a kms-decrypt operation in the Nitro Enclaves SDK. The kms-decrypt API calls the AWS KMS Decrypt operation with a parameter that includes a signed attestation document from the enclave.

AWS Nitro Enclaves is an Amazon EC2 capability that lets you create isolated compute environments called enclaves to protect and process highly sensitive data. For more information about AWS Nitro Enclaves and its integration with AWS KMS, see Nitro Enclaves in the Amazon EC2 User Guide for Linux Instances.

When the call originates in an enclave, the CloudTrail log includes recipient data that represents the measurements of the enclave.

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt",

"awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId":

"arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null, "additionalEventData": { "recipient": {

Logging with AWS CloudTrail

"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12", "attestationDocumentEnclaveImageDigest":

"ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a", }

"requestID": "b4a65126-30d5-4b28-98b9-9153da559963", "eventID": "e5a2f202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

DeleteAlias

The following example shows an AWS CloudTrail log entry for the DeleteAlias operation. For information about deleting aliases, see Deleting an alias (p. 35).

{ "Records": [

"eventTime": "2014-11-04T00:52:27Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteAlias",

"requestID": "d9542792-63bc-11e4-bc2b-4198b6150d5c", "eventID": "12f48554-bb04-4991-9cfc-e7e85f68eda0", "readOnly": false,

"resources": [{

"ARN": "arn:aws:kms:us-east-1:111122223333:alias/my_alias", "accountId": "111122223333"

Logging with AWS CloudTrail

}],

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

} ]}

DeleteCustomKeyStore

The following example shows an AWS CloudTrail log entry generated by calling the

DeleteCustomKeyStore operation. For information about creating custom key stores, see Deleting a custom key store (p. 385).

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-21T20:17:32Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteCustomKeyStore", "awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"customKeyStoreId": "cks-1234567890abcdef0"

"responseElements": null, "additionalEventData": {

"customKeyStoreName": "ExampleKeyStore", "clusterId": "cluster-1a23b4cdefg"

"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9", "eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5", "readOnly": false,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333"

}

DeleteExpiredKeyMaterial

When you import key material into an AWS KMS key (KMS key), you can set an expiration date and time for that key material. AWS KMS records an entry in your CloudTrail log when you import the key material (p. 107) (with the expiration settings) and when AWS KMS deletes the expired key material.

For information about creating KMS key with imported key material, see Importing key material in AWS KMS keys (p. 353).

The following example shows an AWS CloudTrail log entry generated when AWS KMS deletes the expired key material.

{

"eventVersion": "1.05", "userIdentity": {

"accountId": "111122223333", "invokedBy": "AWS Internal"

Logging with AWS CloudTrail

"eventTime": "2021-01-01T16:00:00Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteExpiredKeyMaterial", "awsRegion": "us-east-1",

"sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null,

"eventID": "cfa932fd-0d3a-4a76-a8b8-616863a2b547", "readOnly": false,

"eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "serviceEventDetails": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

} }

DeleteKey

These examples show the AWS CloudTrail log entry that is generated when a KMS key is deleted. To delete a KMS key, you use the ScheduleKeyDeletion operation. After the speciﬁed waiting period expires, AWS KMS deletes the key. AWS KMS records an entry like the following one in your CloudTrail log to record that event.

For an example of the CloudTrail log entry for the ScheduleKeyDeletion operation, see ScheduleKeyDeletion (p. 112). For information about deleting KMS keys, see Deleting AWS KMS keys (p. 132).

The following example CloudTrail log entry records a DeleteKey operation of a KMS key with key material in AWS KMS.

{ "eventVersion": "1.08", "userIdentity": {

"accountId": "111122223333", "invokedBy": "AWS Internal"

"eventTime": "2020-07-31T00:07:00Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteKey",

"awsRegion": "us-east-1",

"sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null,

"eventID": "b25f9cda-74e1-4458-847b-4972a0bf9668", "readOnly": false,

"eventType": "AwsServiceEvent",

Logging with AWS CloudTrail

"recipientAccountId": "111122223333", "managementEvent": true,

"eventCategory": "Management"

}

The following CloudTrail log entry records a DeleteKey operation of a KMS key in an AWS CloudHSM custom key store (p. 367).

{

"eventVersion": "1.08", "userIdentity": {

"accountId": "111122223333", "invokedBy": "AWS Internal"

"eventTime": "2021-10-26T23:41:27Z", "eventSource": "kms.amazonaws.com", "eventName": "DeleteKey",

"awsRegion": "us-east-1",

"sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "requestParameters": null, "responseElements": null, "additionalEventData": {

"customKeyStoreId": "cks-1234567890abcdef0", "clusterId": "cluster-1a23b4cdefg",

"backingKeys": "[{\"keyHandle\":\"01\",\"backingKeyId\":\"backing-key-id\"}]", "backingKeysDeletionStatus": "[{\"keyHandle\":\"01\",\"backingKeyId\":\"backing-key-id\",\"deletionStatus\":\"SUCCESS\"}]"

"eventID": "1234585c-4b0c-4340-ab11-662414b79239", "readOnly": false,

"eventType": "AwsServiceEvent", "recipientAccountId": "111122223333", "managementEvent": true,

"eventCategory": "Management"

}

DescribeCustomKeyStores

The following example shows an AWS CloudTrail log entry generated by calling the

DescribeCustomKeyStores operation. For information about viewing custom key stores, see Viewing a custom key store (p. 377).

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-21T20:17:32Z", "eventSource": "kms.amazonaws.com",

Logging with AWS CloudTrail

"eventName": "DescribeCustomKeyStores", "awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"customKeyStoreId": "cks-1234567890abcdef0"

"responseElements": null,

"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9", "eventID": "2ea1735f-628d-43e3-b2ee-486d02913a78", "readOnly": true,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333"

}

DescribeKey

The following example shows a log ﬁle that records multiple calls to the DescribeKey operation. AWS KMS records an entry like the following one when you call the DescribeKey operation or view KMS keys (p. 44) in the AWS KMS console. These calls were the result of viewing keys (p. 44) in the AWS KMS management console.

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice",

"invokedBy": "signin.amazonaws.com"

"eventTime": "2014-11-05T20:51:34Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey",

"awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "signin.amazonaws.com", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null,

"requestID": "874d4823-652d-11e4-9a87-01af2a1ddecb", "eventID": "f715da9b-c52c-4824-99ae-88aa1bb58ae4", "readOnly": true,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

Logging with AWS CloudTrail

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice",

"invokedBy": "signin.amazonaws.com"

"eventTime": "2014-11-05T20:51:55Z", "eventSource": "kms.amazonaws.com", "eventName": "DescribeKey",

"awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "signin.amazonaws.com", "requestParameters": {

"keyId": "0987dcba-09fe-87dc-65ba-ab0987654321"

"responseElements": null,

"requestID": "9400c720-652d-11e4-9a87-01af2a1ddecb", "eventID": "939fcefb-dc14-4a52-b918-73045fe97af3", "readOnly": true,

"resources": [ {

"ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321",

"accountId": "111122223333"

} ],

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

} ]}

DisableKey

The following example shows an AWS CloudTrail log entry for the DisableKey operation. For information about enabling and disabling AWS KMS keys in AWS KMS, see Enabling and disabling keys (p. 72).

{ "Records": [

"eventTime": "2014-11-04T00:52:43Z", "eventSource": "kms.amazonaws.com", "eventName": "DisableKey",

Logging with AWS CloudTrail

"awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null,

"requestID": "e26552bc-63bc-11e4-bc2b-4198b6150d5c", "eventID": "995c4653-3c53-4a06-a0f0-f5531997b741", "readOnly": false,

"recipientAccountId": "111122223333"

} ] }

DisconnectCustomKeyStore

The following example shows an AWS CloudTrail log entry generated by calling the

DisconnectCustomKeyStore operation. For information about disconnecting a custom key store, see Connecting and disconnecting a custom key store (p. 381).

{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2021-10-21T20:17:32Z", "eventSource": "kms.amazonaws.com", "eventName": "DisconnectCustomKeyStore", "awsRegion": "us-east-1",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"customKeyStoreId": "cks-1234567890abcdef0"

"responseElements": null, "additionalEventData": {

"customKeyStoreName": "ExampleKeyStore", "clusterId": "cluster-1a23b4cdefg"

"requestID": "abcde9e1-f1a3-4460-a423-577fb6e695c9", "eventID": "114b61b9-0ea6-47f5-a9d2-4f2bdd0017d5", "readOnly": false,

"eventType": "AwsApiCall", "managementEvent": true,

"recipientAccountId": "111122223333"

}

EnableKey

The following example shows an AWS CloudTrail log entry for the EnableKey operation. For information about enabling and disabling AWS KMS keys in AWS KMS, see Enabling and disabling keys (p. 72)..

Logging with AWS CloudTrail

"eventTime": "2014-11-04T00:52:20Z", "eventSource": "kms.amazonaws.com", "eventName": "EnableKey",

"awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null,

"requestID": "d528a6fb-63bc-11e4-bc2b-4198b6150d5c", "eventID": "be393928-3629-4370-9634-567f9274d52e", "readOnly": false,

"recipientAccountId": "111122223333"

} ] }

EnableKeyRotation

The following example shows an AWS CloudTrail log entry of a call to the EnableKeyRotation operation. For an example of the CloudTrail log entry that is written when the key is rotated, see RotateKey (p. 111). For information about rotating AWS KMS keys, see Rotating AWS KMS keys (p. 74).

{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice"

"eventTime": "2020-07-25T23:41:56Z", "eventSource": "kms.amazonaws.com", "eventName": "EnableKeyRotation", "awsRegion": "us-west-2",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null,

Logging with AWS CloudTrail

"requestID": "81f5b794-452b-4d6a-932b-68c188165273", "eventID": "fefc43a7-8e06-419f-bcab-b3bf18d6a401", "readOnly": false,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

Encrypt

The following example shows an AWS CloudTrail log entry for the Encrypt operation.

{ "Records": [

"eventTime": "2014-11-04T00:53:11Z", "eventSource": "kms.amazonaws.com", "eventName": "Encrypt", "encryptionAlgorithm": "SYMMETRIC_DEFAULT",

"responseElements": null,

"requestID": "f3423043-63bc-11e4-bc2b-4198b6150d5c", "eventID": "91235988-eb87-476a-ac2c-0cdc244e6dca", "readOnly": true,

"eventType": "AwsServiceEvent", "recipientAccountId": "111122223333"

} ] }

GenerateDataKey

The following example shows an AWS CloudTrail log entry for the GenerateDataKey operation.

Logging with AWS CloudTrail

"eventTime": "2014-11-04T00:52:40Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-east-1", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "keySpec": "AES_256",

"requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c", "eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71", "readOnly": true,

"recipientAccountId": "111122223333"

} ] }

GenerateDataKey (from an enclave)

The following example shows an AWS CloudTrail log entry for a kms-generate-data-key operation in the Nitro Enclaves SDK. The kms-generate-data-key API calls the AWS KMS GenerateDataKey operation with a parameter that includes a signed attestation document from the enclave.

When the call originates in an enclave, the CloudTrail log includes recipient data that represents the measurements of the enclave.

{

"eventVersion": "1.02", "userIdentity": { "type": "IAMUser",

"principalId": "EX_PRINCIPAL_ID",

"arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333",

"accessKeyId": "EXAMPLE_KEY_ID",

Logging with AWS CloudTrail

"userName": "Alice"

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab", "numberOfBytes": 32

"responseElements": null, "additionalEventData": { "recipient": {

"attestationDocumentModuleId": "i-123456789abcde123-enc123456789abcde12", "attestationDocumentEnclaveImageDigest":

"ee0d451a2ff9aaaa9bccd07700b9cab123a0ac2386ef7e88ad5ea6c72ebabea840957328e2ec890b408c9b06cb8ebe6a"

} },

"requestID": "e0eb83e3-63bc-11e4-bc2b-4198b6150d5c", "eventID": "a9dea4f9-8395-46c0-942c-f509c02c2b71", "readOnly": true,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

GenerateDataKeyPair

The following example shows an AWS CloudTrail log entry for the GenerateDataKeyPair operation. This example records an operation that generates an RSA key pair encrypted under a symmetric AWS KMS key.

{ "eventVersion": "1.05", "userIdentity": {

"eventTime": "2020-07-27T18:57:57Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKeyPair", "awsRegion": "us-west-2",

"sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": {

"keyPairSpec": "RSA_3072", "encryptionContext": { "Project": "Alpha"

"keyId": "1234abcd-12ab-34cd-56ef-1234567890ab"

"responseElements": null,

"requestID": "52fb127b-0fe5-42bb-8e5e-f560febde6b0",

Logging with AWS CloudTrail

"eventID": "9b6bd6d2-529d-4890-a949-593b13800ad7", "readOnly": true,

"eventType": "AwsApiCall",

"recipientAccountId": "111122223333"

}

GenerateDataKeyPairWithoutPlaintext

The following example shows an AWS CloudTrail log entry for the GenerateDataKeyPairWithoutPlaintext operation. This example records an operation that generates an RSA key pair that is encrypted under a symmetric AWS KMS key.

{ "eventVersion": "1.05",

在文檔中 AWS Key Management Service (頁 90-127)