Create CloudWatch alarms for external key stores
You can create Amazon CloudWatch alarms based on external key store metrics to notify you when a metric value exceeds a threshold you specified. The alarm can send the message to an Amazon Simple Notification Service (Amazon SNS) topic or an Amazon EC2 Auto Scaling policy. For detailed information about CloudWatch alarms, see Using Amazon CloudWatch alarms in the Amazon CloudWatch User Guide.
Before creating an Amazon CloudWatch alarm, you need an Amazon SNS topic. For details, see Creating an Amazon SNS topic in the Amazon CloudWatch User Guide.
Topics
Create an alarm for certificate expiration
This alarm uses the XksProxyCertificateDaysToExpire metric that AWS KMS publishes to CloudWatch to record the anticipated expiration of the TLS certificate associated with your external key store proxy endpoint. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
We recommend setting the alarm to alert you 10 days before your certificate is set to expire, but you should set the threshold that best fits your needs.
Create the alarm
Follow the instructions in Create a CloudWatch alarm based on a static threshold using the following required values. For other fields, accept the default values and provide names as requested.
Field | Value |
---|---|
Select metric |
Choose KMS, then choose XKS Proxy Certificate Metrics. Select the check box next to the
Then choose Select metric. |
Statistic | Minimum |
Period | 5 minutes |
Threshold type | Static |
Whenever ... | Whenever XksProxyCertificateDaysToExpire is
Lower than 10 . |
Create an alarm for response timeout
This alarm uses the XksProxyLatency metric that AWS KMS publishes to CloudWatch to record the number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
AWS KMS expects the external key store proxy to respond to each request within 250 milliseconds. We recommend setting an alarm to alert you when your external key store proxy takes longer than 200 milliseconds to respond, but you should set the threshold that best fits your needs.
Create the alarm
Follow the instructions in Create a CloudWatch alarm based on a static threshold using the following required values. For other fields, accept the default values and provide names as requested.
Field | Value |
---|---|
Select metric |
Choose KMS, then choose XKS Proxy Latency Metrics. Select the check box next to the Then choose Select metric. |
Statistic | Average |
Period | 5 minutes |
Threshold type | Static |
Whenever ... | Whenever XksProxyLatency is
Greater than 200 . |
Create an alarm for retryable errors
This alarm uses the XksProxyErrors metric that AWS KMS publishes to CloudWatch to record the number of exceptions related to AWS KMS requests to your external key store proxy. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
Retryable errors will lower your reliability percentage and can indicate networking errors. We recommend setting an alarm to alert you when more than five retryable errors are recorded in a one minute period, but you should set the threshold that best fits your needs.
Follow the instructions in Create a CloudWatch alarm based on a static threshold using the following required values. For other fields, accept the default values and provide names as requested.
Field | Value |
---|---|
Select metric |
Choose the Query tab. Choose Enter Enter Choose Run. Then choose Select metric. |
Label | Retryable errors |
Period | 1 minute |
Threshold type | Static |
Whenever ... | Whenever q1 is Greater than
5 . |
Create an alarm for non-retryable errors
This alarm uses the XksProxyErrors metric that AWS KMS publishes to CloudWatch to record the number of exceptions related to AWS KMS requests to your external key store proxy. You cannot create a single alarm for all external key stores in your account or an alarm for external key stores that you might create in the future.
Non-retryable errors can indicate a problem with the configuration of your external key store. We recommend setting an alarm to alert you when more than five non-retryable errors are recorded in a one minute period, but you should set the threshold that best fits your needs.
Follow the instructions in Create a CloudWatch alarm based on a static threshold using the following required values. For other fields, accept the default values and provide names as requested.
Field | Value |
---|---|
Select metric |
Choose the Query tab. Choose Enter Enter Choose Run. Then choose Select metric. |
Label | Non-retryable errors |
Period | 1 minute |
Threshold type | Static |
Whenever ... | Whenever q1 is Greater than
5 . |