Logging AWS KMS API calls with AWS CloudTrail - AWS Key Management Service

Logging AWS KMS API calls with AWS CloudTrail

AWS KMS is integrated with AWS CloudTrail, a service that records all calls to AWS KMS by users, roles, and other AWS services. CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.

CloudTrail logs all AWS KMS operations, including read-only operations, such as ListAliases and GetKeyRotationStatus, operations that manage KMS keys, such as CreateKey and PutKeyPolicy, and cryptographic operations, such as GenerateDataKey and Decrypt.

CloudTrail logs successful operations and attempted calls that failed, such as when the caller is denied access to a resource. Operations on KMS keys in other accounts are logged in both the caller account and the KMS key owner account.

For security reasons, some fields are omitted from AWS KMS log entries, such as the Plaintext parameter of an Encrypt request, and the response to GetKeyPolicy or any cryptographic operation.

Although, by default, all AWS KMS actions are logged as CloudTrail events, you can exclude AWS KMS actions from a CloudTrail trail. For details, see Excluding AWS KMS events from a trail.

Logging events in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS KMS, that activity is recorded in a CloudTrail event along with other AWS service events in Event history. You can view, search, and download recent events in your AWS account. For more information, see Viewing Events with CloudTrail Event History.

For an ongoing record of events in your AWS account, including events for AWS KMS, create a trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see:

To learn more about CloudTrail, see the AWS CloudTrail User Guide. To learn about other ways to monitor the use of your KMS keys, see Monitoring AWS KMS keys.

Every event or log entry contains information about who generated the request. The identity information helps you determine the following:

  • If the request was made with root or IAM user credentials.

  • If the request was made with temporary security credentials for a role or federated user.

  • If the request was made by another AWS service.

For more information, see the CloudTrail userIdentity Element.

Excluding AWS KMS events from a trail

Most AWS KMS users rely on the events in a CloudTrail trail to provide a record of the use and management of their AWS KMS resources. The trail can be an valuable source of data for auditing critical events, such as creating, disabling, and deleting AWS KMS keys, changing key policy, and the use of your KMS keys by AWS services on your behalf. In some cases, the metadata in a CloudTrail log entry, such as the encryption context in an encryption operation, can help you to avoid or resolve errors.

However, because AWS KMS can generate a large number of events, AWS CloudTrail lets you exclude AWS KMS events from a trail. This per-trail setting excludes all AWS KMS events; you cannot exclude particular AWS KMS events.

Warning

Excluding AWS KMS events from a CloudTrail Log can obscure actions that use your KMS keys. Be cautious when giving principals the cloudtrail:PutEventSelectors permission that is required to perform this operation.

To exclude AWS KMS events from a trail:

You can disable this exclusion at any time by changing the console setting or the event selectors for a trail. The trail will then start recording AWS KMS events. However, it cannot recover AWS KMS events that occurred while the exclusion was effective.

When you exclude AWS KMS events by using the console or API, the resulting CloudTrail PutEventSelectors API operation is also logged in your CloudTrail Logs. If AWS KMS events don't appear in your CloudTrail Logs, look for a PutEventSelectors event with the ExcludeManagementEventSources attribute set to kms.amazonaws.com.