Monitoring attested requests

You can use your AWS CloudTrail logs to monitor Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, and GenerateRandom operations that use attestation. In these log entries, the additionalEventData field has a recipient field with information from the attestation document in the request. These fields are included only when the Recipient parameter in the request specifies a signed attestation document.

The specific information included in the CloudTrail log depends on the attestation method used.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How to make attested calls to AWS KMS

Monitoring requests for Nitro enclaves