Monitoring AWS KMS
Monitoring AWS KMS
Monitoring is an important part of understanding the availability, state, and usage of your customer master keys (CMKs) in AWS KMS and maintaining the reliability and performance of your AWS solutions. As a baseline, in AWS KMS you may want to monitor:
- Activity related to cryptographic operations, such as Encrypt or Decrypt.
- Activity related to management operations on the CMKs: EnableKey, ImportKeyMaterial,etc…
- Activity on other events and metrics, such as key expiration, key rotation or time remaining until imported key material expiration.
To monitor that activity we will use the AWS service AWS CloudTrail and Amazon CloudWatch, especially its logs, events and alarms.
AWS KMS và AWS CloudTrail
- AWS KMS is integrated with AWS CloudTrail. AWS CloudTrail is a service that will provide us with a record of actions performed by a user, role, or an AWS service in AWS KMS.
- CloudTrail captures all API calls for AWS KMS as events, including calls from the AWS KMS console and from code calls to the AWS KMS APIs.
To see how CloudTrail logs this information. We take the below steps
- Execute the below command to create the new data key
aws kms generate-data-key --key-id alias/ImportedCMK --key-spec AES_256 --encryption-context project=workshop
2. Check the actions was saved in AWS CloudTrail
- Go to AWS CloudTrail Console.
- Click Roles.
- Click Event history
- In the Filter section, select Event name
- Type
GenerateDataKeyinto the search bar, Press Enter
To establish a filter, go to filter area, select “Event name”, and set the name as “GenerateDataKey”. Press “Enter” while still on the “Enter Event Name”, leaving “Select time range” as it is. Alternatively, you could select a time range if you wish.
AWS KMS Real time notifications with AWS CloudTrail, Amazon EventBridge and Amazon SNS.
- Go to AWS SNS Console.
- Click Topics.
- Click Create topic.
- In the Details section
- In the Type section, Select Standard
- In the Name section, Type
snsworkshop
- Drag the screen down, Click Create topic
- Save the information of the ARN
- Go to AWS SNS Console.
- Click Subscriptions.
- Click Create subscription.
- In the Create subscription page
- In the Name section, Type Topic ARN we have saved in step 4
- In the Protocol section, Select Email
- In the Endpoint section, Type your email
- Click Create subcription
- After some minutes, you will be received an email to confirm subscription.
- Click Confirm subscription
- Go to AWS EventBridge Console.
- Click Rules.
- Click Create rule.
- In the Rule detail page
- In the Name section, Type
kmsworkshop-rule - Click Next
- In the Event pattern section
- In the AWS service section, Select CloudTrail
- In the Event type section, Select AWS API Call via CloudTrail
- Click Specific operation(s)
- Type
GenerateDataKey
- Drag the screen down Click Next
- In the Select target(s) page
- In the Select a target section, Select SNS Topic
- In the Topic section, Select snsworkshop
- Click Next
- In the Configure tags page
- Click Next
- In the Configure tags page
- Drag the screen down, Click Create rule
After creating this rule, Everytime a Data Key is generated, you wil be notified in the email address you provided.
AWS KMS And CloudWatch Metrics
In Amazon Cloudwatch you also have metrics avaiable about the AWS KMS service and CMKs.
When you import key material into a CMK and set it to expire, AWS KMS sends metrics and dimensions to CloudWatch.
- To check metrics and dimensions
- Go to AWS CloudWatch Console.
- Click Metrics.
- Click All metrics.
- Click Per-Key Metrics
- We will find the metric SecondsUntilKeyMaterialExpiration for your CMK built with imported key material.
With this metric you can now build an alarm into CloudWatch to warn you about the expiration of the key material.
