Decrypt
These examples show AWS CloudTrail log entries for the Decrypt operation.
The CloudTrail log entry for a Decrypt
operation always includes the
encryptionAlgorithm
in the requestParameters
even if the
encryption algorithm wasn't specified in the request. The ciphertext in the request and the
plaintext in the response are omitted.
Topics
Decrypt with a standard symmetric encryption key
The following is an example CloudTrail log entry for a Decrypt
operation with a
standard symmetric encryption key.
{ "eventVersion": "1.05", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2020-07-27T22:58:24Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" } }, "responseElements": null, "requestID": "12345126-30d5-4b28-98b9-9153da559963", "eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Decrypt failure with a standard symmetric encryption key
The following example CloudTrail log entry records a failed Decrypt
operation
with a standard symmetric encryption KMS key. The exception (errorCode
)
and error message (errorMessage
) are included help you to resolve the
error.
In this case, the symmetric encryption KMS key specified in the Decrypt
request was not the symmetric encryption KMS key that was used to encrypt the
data.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T18:57:43Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "userAgent": "AWS Internal", "errorCode": "IncorrectKeyException" "errorMessage": "The key ID in the request does not identify a CMK that can perform this operation.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Engineering", "Project": "Alpha" } }, "responseElements": null, "requestID": "22345126-30d5-4b28-98b9-9153da559963", "eventID": "abcde202-ba1a-467c-b4ba-f729d45ae521", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "recipientAccountId": "111122223333" }
Decrypt with a KMS key in an AWS CloudHSM key store
The following example CloudTrail log entry records a Decrypt
operation with a
KMS key in an AWS CloudHSM key store. All log
entries for cryptographic operations with a KMS key in a custom key store include an
additionalEventData
field with the customKeyStoreId
and
backingKeyId
. The value returned in the backingKeyId
field
is the CloudHSM key id
attribute. The additionalEventData
isn't
specified in the request.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2021-10-26T23:41:27Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "192.0.2.0", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "Department": "Development", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-1234567890abcdef0" }, "requestID": "e1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "a79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
Decrypt with a KMS key in an external key store
The following example CloudTrail log entry records a Decrypt
operation with a
KMS key in an external key store. In addition
to the customKeyStoreId
, the additionalEventData
field
includes the external key ID
(XksKeyId
). The additionalEventData
isn't specified in the
request.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T00:26:58Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "encryptionContext": { "Department": "Engineering", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-9876543210fedcba9", "xksKeyId": "abc01234567890fe" }, "requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }
Decrypt failure with a KMS key in an external key store
The following example CloudTrail log entry records a failed request for a
Decrypt
operation with a KMS key in an external key store. CloudWatch logs requests that fail,
in addition to successful requests. When recording a failure, the CloudTrail log entry
includes the exception (errorCode) and the accompanying error message
(errorMessage).
If the failed request reached your external key store proxy, as in this example, you
can use the requestId
value to associate the failed request with a
corresponding request your external key store proxy logs, if your proxy provides
them.
For help with Decrypt
requests in external key stores, see Decryption errors.
{ "eventVersion": "1.08", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::111122223333:user/Alice", "accountId": "111122223333", "accessKeyId": "EXAMPLE_KEY_ID", "userName": "Alice" }, "eventTime": "2022-11-24T00:26:58Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "errorCode": "KMSInvalidStateException", "errorMessage": "The external key store proxy rejected the request because the specified ciphertext or additional authenticated data is corrupted, missing, or otherwise invalid.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321", "encryptionContext": { "Department": "Engineering", "Purpose": "Test" } }, "responseElements": null, "additionalEventData": { "customKeyStoreId": "cks-9876543210fedcba9", "xksKeyId": "abc01234567890fe" }, "requestID": "f1b881f8-2048-41f8-b6cc-382b7857ec61", "eventID": "b79603d5-4cde-46fc-819c-a7cf547b9df4", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws:kms:us-west-2:111122223333:key/0987dcba-09fe-87dc-65ba-ab0987654321" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" }