AWS CloudHSM
User Guide

Audit Log Reference

AWS CloudHSM records HSM management commands in audit log events. Each event has an operation code (Opcode) value that identifies the action that occurred and its response. You can use the Opcode values to search, sort, and filter the logs.

The following table defines the Opcode values in an AWS CloudHSM audit log.

Operation Code (Opcode) Description
User Login: These events include the user name and user type.
CN_LOGIN (0xd) User login (excludes appliance user [AU]).
CN_LOGOUT (0xe)

User logout (excludes appliance user [AU]).

CN_APP_FINALIZE

App finalize (logged only when user did not explicitly log out)

CN_CLOSE_SESSION

Close session (logged only when user did not explicitly log out)

User Management: These events include the user name and user type.
CN_CREATE_USER (0x3) Create a crypto user (CU)
CN_CREATE_CO Create a crypto officer (CO)
CN_CREATE_APPLIANCE_USER Create an appliance user (AU)
CN_DELETE_USER Delete a user
CN_CHANGE_PSWD Change a user password
CN_SET_M_VALUE Set quorum authentication (M of N) for a user action.
CN_APPROVE_TOKEN Approve a quorum authentication token for a user action.
Key Management: These events include the key handle.
CN_GENERATE_KEY Generate a symmetric key
CN_GENERATE_KEY_PAIR (0x19) Generate a key pair (DSA, ECC, or RSA)
CN_CREATE_OBJECT Import a public key (without wrapping)
CN_MODIFY_OBJECT Set a key attribute in key_mgmt_util or cloudhsm_mgmt_util.
CN_DESTROY_OBJECT (0x11) Delete a key
CN_TOMBSTONE_OBJECT Mark the key for deletion, but do not remove it
CN_SHARE_OBJECT Share or unshare a key
CN_WRAP_KEY Export an encrypted copy of a key (wrapKey)
CN_UNWRAP_KEY Import an encrypted copy of a key (unwrapKey)
CN_NIST_AES_WRAP

Encrypt or decrypt a file (aesWrapUnwrap)

CN_INSERT_MASKED_OBJECT_USER Receive a key (as a masked object) from another HSM in the cluster; this event is recorded when a client action synchronizes the key
CN_EXTRACT_MASKED_OBJECT_USER Send a key (as a masked object) to other HSMs in the cluster; this event is recorded when a client action synchronizes the key
Clone HSMs
CN_CLONE_SOURCE_INIT Clone source start
CN_CLONE_SOURCE_STAGE1 Clone source end
CN_CLONE_TARGET_INIT Clone target start
CN_CLONE_TARGET_STAGE1 Clone target end
Certificate-Based Authentication
CN_CERT_AUTH_STORE_CERT Store a certificate
CN_CERT_AUTH_VALIDATE_PEER_CERTS Validate a certificate
CN_CERT_AUTH_SOURCE_KEY_EXCHANGE Source key exchange
CN_CERT_AUTH_TARGET_KEY_EXCHANGE Target key exchange
HSM Instance Commands
CN_INIT_TOKEN (0x1) Initialize the HSM: Start
CN_INIT_DONE Initialize the HSM: Complete
CN_GEN_KEY_ENC_KEY Generate a key encryption key (KEK)
CN_GEN_PSWD_ENC_KEY (0x1d) Generate a password encryption key (PEK)
CN_CLOSE_PARTITION_SESSIONS Close a session on the HSM
CN_STORE_KBK_SHARE Store the key backup key (KBK)
CN_SET_NODEID Set the node ID of the HSM in the cluster
CN_ZEROIZE Zeroize the HSM