HSM audit log reference - AWS CloudHSM

HSM audit log reference

AWS CloudHSM records HSM management commands in audit log events. Each event has an operation code (Opcode) value that identifies the action that occurred and its response. You can use the Opcode values to search, sort, and filter the logs.

The following table defines the Opcode values in an AWS CloudHSM audit log.

Operation Code (Opcode) Description
User Login: These events include the user name and user type
CN_LOGIN (0xd) User login
CN_LOGOUT (0xe)

User logout

CN_APP_FINALIZE

The connection with the HSM was closed. Any session keys or quorum tokens from this connection were deleted.

CN_CLOSE_SESSION

The session with the HSM was closed. Any session keys or quorum tokens from this session were deleted.

User Management: These events include the user name and user type
CN_CREATE_USER (0x3) Create a crypto user (CU)
CN_CREATE_CO Create a crypto officer (CO)
CN_DELETE_USER Delete a user
CN_CHANGE_PSWD Change a user password
CN_SET_M_VALUE Set quorum authentication (M of N) for a user action
CN_APPROVE_TOKEN Approve a quorum authentication token for a user action
CN_DELETE_TOKEN Delete one or more quorum tokens
CN_GET_TOKEN Request a signing token to initiate a quorum operation
Key Management: These events include the key handle
CN_GENERATE_KEY Generate a symmetric key
CN_GENERATE_KEY_PAIR (0x19) Generate an asymmetric key pair
CN_CREATE_OBJECT Import a public key (without wrapping)
CN_MODIFY_OBJECT Set a key attribute
CN_DESTROY_OBJECT (0x11) Deletion of a session key
CN_TOMBSTONE_OBJECT Deletion of a token key
CN_SHARE_OBJECT Share or unshare a key
CN_WRAP_KEY Export an encrypted copy of a key (wrapKey)
CN_UNWRAP_KEY Import an encrypted copy of a key (unwrapKey)
CN_DERIVE_KEY Derive a symmetric key from an existing key
CN_NIST_AES_WRAP

Encrypt or decrypt a key with an AES key

CN_INSERT_MASKED_OBJECT_USER Insert an encrypted key with attributes from another HSM in the cluster.
CN_EXTRACT_MASKED_OBJECT_USER Wraps/encrypts a key with attributes from the HSM to be sent to another HSM in the cluster.
Back up HSMs
CN_BACKUP_BEGIN Begin the backup process
CN_BACKUP_END Completed the backup process
CN_RESTORE_BEGIN Begin restoring from a backup
CN_RESTORE_END Completed the restoration process from a backup
Certificate-Based Authentication
CN_CERT_AUTH_STORE_CERT Stores the cluster certificate
HSM Instance Commands
CN_INIT_TOKEN (0x1) Start the HSM initialization process
CN_INIT_DONE The HSM initialization process has finished
CN_GEN_KEY_ENC_KEY Generate a key encryption key (KEK)
CN_GEN_PSWD_ENC_KEY (0x1d) Generate a password encryption key (PEK)
HSM crypto commands
CN_FIPS_RAND Generate a FIPS-compliant random number