[Webinar] Discover key trends and best practices in Kubernetes observability with DevOps expert, Viktor Farcic.Register now
Our recognition in the inaugural Gartner MQ for DEM

AWS Key Management Service Monitoring

AWS Key Management Service - Overview

Amazon Key Management Service (AWS KMS) is a fully managed encryption service that allows users to create, manage, and control cryptographic keys to secure data across AWS services and applications. Integrated with various AWS services, KMS provides centralized key management, fine-grained access control, automatic key rotation, and audit logging through AWS CloudTrail. It ensures compliance with major security standards, making it a reliable solution for encrypting sensitive data in the cloud.

Creating a new AWS Key Management Service monitor

To learn how to create a new AWS Key Management Service monitor, refer here.

Monitored Parameters

Go to the Monitors Category View by clicking the Monitors tab. Click on the Key Management Service instance available under Amazon in the Cloud Apps section. Displayed below is the Amazon Key Management Service bulk configuration view distributed into three tabs:

  • Availability tab gives the availability history for the past 24 hours or 30 days.
  • Performance tab gives the health status and events for the past 24 hours or 30 days.
  • List view tab enables you to perform bulk admin configurations.

By clicking a monitor from the list, you'll be taken to the AWS Key Management Service dashboard which includes the following tabs:

Performance Overview

ParameterDescription
SERVER INFORMATION
Key State The current status of the KMS key.
Possible values: Creating, Enabled, Disabled, PendingDeletion, PendingImport, PendingReplicaDeletion, Unavailable, Updating.
Key Rotation Specifies whether the KMS key rotation is enabled for monitoring.
Possible values: Enabled, Disabled
KEY AGE
Key Age The number of days since the key was created (in days).
DAYS TO NEXT ROTATION
Days to Next Rotation The number of days remaining until AWS KMS automatically rotates the key material (in days).
DAYS UNTIL KEY MATERIAL EXPIRATION
Days Until Key Material Expiration The number of days remaining until the imported key material in a KMS key expires at the time of polling (in days).
XKS PROXY CREDENTIAL AGE
XKS Proxy Credential Age The number of days since the current external key store proxy authentication credential (XksProxyAuthenticationCredential) was associated with the external key store at the time of polling (in days).
PENDING DELETION WINDOW
Pending Deletion Window The waiting period before the primary key in a multi-Region key is deleted. This waiting period begins when the last of its replica keys is deleted (in days).

Grants

ParameterDescription
Grant Details
Grant ID The unique identifier for the grant.
Grant Name The user-readable name that identifies the grant.
Creation Date The date and time when the grant was created.
Grantee Principal The AWS principal receiving permissions (IAM user, role, or AWS service) to which the grant is issued.
Retiring Principal The AWS principal that can retire the grant.
Operations The list of operations permitted by the grant.

Note: Only the first 50 grants per KMS key will be shown.

Configuration

ParameterDescription
CONFIGURATION
Key ID The globally unique identifier for the KMS key.
Creation Date The date and time when the KMS key was created.
Description The description of the KMS key.
Key Usage The cryptographic operations for which you can use the KMS key.
Possible values: SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT.
Key Spec Defines the type of key material in the KMS key.
Possible values: RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2.
Key Manager The manager of the KMS key.
Possible values: AWS, CUSTOMER.
Regionality Indicates whether the KMS key is a multi-region or regional key.
Possible values: Single Region, Multi Region.
Origin The source of the key material for the KMS key.
Possible values: AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE.
Expiration Model Specifies whether the KMS key's key material expires.
Possible Values: KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
Key Material Expiration Date The date and time at which the imported key material expires.
Scheduled Deletion Date The date and time at which AWS KMS will delete this key.
CUSTOM KEY STORE DETAILS
Custom Key Store ID A unique identifier for the custom key store that contains the KMS key.
Custom Key Store Name The user-specified name for the custom key store.
Cloud HSM Cluster ID The cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
Connection State Indicates whether the custom key store is connected to its backing key store.
Possible Values: CONNECTED, CONNECTING, FAILED, DISCONNECTED, DISCONNECTING
Creation Date The date and time when the custom key store was created.
 
Note:
  • Up to 500 keys are monitored per region.
  • Aliases serve as display names for resources; if no alias is assigned, the Key ID will be displayed instead.

Thank you for your feedback!

Was this content helpful?

We are sorry. Help us improve this page.

How can we improve this page?
Do you need assistance with this topic?
By clicking "Submit", you agree to processing of personal data according to the Privacy Policy.
Back to Top