ActionTrail records the events that are related to Key Management Service (KMS). You can query the details of an event to obtain information such as the time when the event occurred, the region where the event occurred, and the key involved. This topic provides the logs of four sample KMS-related events and describes the key fields included in the event logs.
Query the details of a key in the KMS console by using an Alibaba Cloud account
The following sample event log indicates that an Alibaba Cloud account queried the
details of a key by using the KMS console at 17:21:32 on August 05, 2021, UTC+8. The
specified key is in the China (Hangzhou) region and its ID is 3a6a031d-87ad-4a84-9c17-aa22e0b0****
.
{
"eventId": "ab35a7a7-373a-4a36-a4f8-01fd6adcc6a0",
"eventVersion": 1,
"eventSource": "kms-intranet.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"KeyId": "3a6a031d-87ad-4a84-9c17-aa22e0b0****"
},
"sourceIpAddress": "Internal",
"userAgent": "AliyunConsole",
"eventType": "ApiCall",
"userIdentity": {
"accountId": "506899367883****",
"principalId": "506899367883****",
"type": "root-account",
"userName": "root"
},
"serviceName": "Kms",
"apiVersion": "2016-01-20",
"requestId": "ab35a7a7-373a-4a36-a4f8-01fd6adcc6a0",
"eventTime": "2021-08-05T09:21:32Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "DescribeKey"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isroot-account
, which indicates an Alibaba Cloud account.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isKms
, which indicates KMS.eventName
: the name of the event. The value in the example isDescribeKey
, which indicates that the details of a key were queried.requestParameters.KeyId
: the ID of the key. The value in the example is3a6a031d-87ad-4a84-9c17-aa22e0b0****
.acsRegion
: the region in which the event occurred. The value in the example iscn-hangzhou
, which indicates the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T09:21:32Z
, which indicates 17:21:32 on August 05, 2021, UTC+8.
Query the details of a key in the KMS console as a RAM user
The following sample event log indicates that the RAM user whose username is Alice
queried the details of a key by using the KMS console at 16:53:03 on August 05, 2021,
UTC+8. The specified key is in the China (Hangzhou) region and its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****
.
{
"eventId": "c8d094ca-64b8-49cf-bbf3-2a9b540abed9",
"eventVersion": 1,
"eventSource": "kms-intranet.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AliyunConsole",
"eventType": "ApiCall",
"userIdentity": {
"accountId": "111737649404****",
"principalId": "23899132441193****",
"type": "ram-user",
"userName": "Alice"
},
"serviceName": "Kms",
"apiVersion": "2016-01-20",
"requestId": "c8d094ca-64b8-49cf-bbf3-2a9b540abed9",
"eventTime": "2021-08-05T08:53:03Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "DescribeKey"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.userIdentity.userName
: the username of the RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isKms
, which indicates KMS.eventName
: the name of the event. The value in the example isDescribeKey
, which indicates that the details of a key were queried.requestParameters.KeyId
: the ID of the key. The value in the example ise1ea5c30-04d3-41e4-b445-1eb5b656****
.acsRegion
: the region in which the event occurred. The value in the example iscn-hangzhou
, which indicates the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T08:53:03Z
, which indicates 16:53:03 on August 05, 2021, UTC+8.
Query the details of a key by calling the DescribeKey operation with an AccessKey pair used
The following sample event log indicates that the RAM user whose username is kms-test
queried the details of a key by calling the DescribeKey operation at 17:02:30 on
August 05, 2021, UTC+8. The RAM user used the AcccessKey pair whose ID is LTAI4GDYPA5jNycoezLH****
to initiate the API call. The specified key is in the China (Hangzhou) region and
its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****
.
{
"eventId": "da43d031-cf5a-44ec-aec8-4a13f468aa12",
"eventVersion": 1,
"eventSource": "kms.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_212-b04 Core/4.5.1 HTTPClient/ApacheHttpClient",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "LTAI4GDYPA5jNycoezLH****",
"accountId": "164165083897****",
"principalId": "21682348916186****",
"type": "ram-user",
"userName": "kms-test"
},
"serviceName": "Kms",
"apiVersion": "2016-01-20",
"requestId": "da43d031-cf5a-44ec-aec8-4a13f468aa12",
"eventTime": "2021-08-05T09:02:30Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "DescribeKey"
}
The sample event log contains the following key fields:
userIdentity.accessKeyId
: the AccessKey ID that is used to initiate the API call. The value in the example isLTAI4GDYPA5jNycoezLH****
.userIdentity.principalId
: the ID of the account to which the AccessKey pair belongs. The value in the example is21682348916186****
.userIdentity.type
: the identity type of the requester. The value in the example isram-user
, which indicates a RAM user.userIdentity.userName
: the username of the RAM user.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isKms
, which indicates KMS.eventName
: the name of the event. The value in the example isDescribeKey
, which indicates that the details of a key were queried.requestParameters.KeyId
: the ID of the key. The value in the example ise1ea5c30-04d3-41e4-b445-1eb5b656****
.acsRegion
: the region in which the event occurred. The value in the example iscn-hangzhou
, which indicates the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T09:02:30Z
, which indicates 17:02:30 on August 05, 2021, UTC+8.
Query the details of a key information by assuming a RAM role as a RAM user
The following sample event log indicates that a RAM user of the Alibaba Cloud account
whose ID is
queried the details of a key at 17:20:28 on August 05, 2021, UTC+8. The RAM user
assumed the RAM role whose name is 132295042695****
aliyunedasdefaultrole
of the Alibaba Cloud account whose ID is 119997133354****
. The specified key is in the China (Hangzhou) region and its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****
.
{
"eventId": "4e059394-8b95-4788-84cf-efe7aa8f6935",
"eventVersion": 1,
"eventSource": "kms.cn-hangzhou.aliyuncs.com",
"requestParameters": {
"KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****",
"stsTokenPlayerUid": "132295042695****"
},
"sourceIpAddress": "192.168.XX.XX",
"userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_92-b18 Core/4.5.6 HTTPClient/ApacheHttpClient",
"eventType": "ApiCall",
"userIdentity": {
"accessKeyId": "STS.NUCmmh2n5RQcqryWqxsuv****",
"accountId": "119997133354****",
"principalId": "34933955188809****:fb23c186-5930-498a-a630-0a****",
"type": "assumed-role",
"userName": "aliyunedasdefaultrole:fb23c186-5930-498a-a630-0a****"
},
"serviceName": "Kms",
"apiVersion": "2016-01-20",
"requestId": "4e059394-8b95-4788-84cf-efe7aa8f6935",
"eventTime": "2021-08-05T09:20:28Z",
"isGlobal": false,
"acsRegion": "cn-hangzhou",
"eventName": "DescribeKey"
}
The sample event log contains the following key fields:
userIdentity.type
: the identity type of the requester. The value in the example isassumed-role
, which indicates a RAM role.userIdentity.userName
: the username of the requester. The value is in the format of{roleName}:{sessionName}
.roleName
indicates the name of the RAM role that was assumed.sessionName
indicates the name that was specified when the RAM user assumed the RAM role. The value in the example isaliyunedasdefaultrole:fb23c186-5930-498a-a630-0a****
, which indicates that the name of the RAM role that was assumed isaliyunedasdefaultrole
, and the name that was specified when the RAM user assumed the RAM role isfb23c186-5930-498a-a630-0a****
.Note By default, Enterprise Distributed Application Service (EDAS) assumes thealiyunedasdefaultrole
role to access your resources in other cloud services.requestParameters.stsTokenPlayerUid
: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in the example is132295042695****
.serviceName
: the name of the Alibaba Cloud service related to the event. The value in the example isKms
, which indicates KMS.eventName
: the name of the event. The value in the example isDescribeKey
, which indicates that the details of a key were queried.requestParameters.KeyId
: the ID of the key. The value in the example ise1ea5c30-04d3-41e4-b445-1eb5b656****
.acsRegion
: the region in which the event occurred. The value in the example iscn-hangzhou
, which indicates the China (Hangzhou) region.eventTime
: the time when the event occurred in UTC. The value in the example is2021-08-05T09:20:28Z
, which indicates 17:20:28 on August 05, 2021, UTC+8.