ActionTrail records the events that are related to Key Management Service (KMS). You can query the details of an event to obtain information such as the time when the event occurred, the region where the event occurred, and the key involved. This topic provides the logs of four sample KMS-related events and describes the key fields included in the event logs.

Query the details of a key in the KMS console by using an Alibaba Cloud account

The following sample event log indicates that an Alibaba Cloud account queried the details of a key by using the KMS console at 17:21:32 on August 05, 2021, UTC+8. The specified key is in the China (Hangzhou) region and its ID is 3a6a031d-87ad-4a84-9c17-aa22e0b0****.

{
  "eventId": "ab35a7a7-373a-4a36-a4f8-01fd6adcc6a0",
  "eventVersion": 1,
  "eventSource": "kms-intranet.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "KeyId": "3a6a031d-87ad-4a84-9c17-aa22e0b0****"
  },
  "sourceIpAddress": "Internal",
  "userAgent": "AliyunConsole",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "506899367883****",
    "principalId": "506899367883****",
    "type": "root-account",
    "userName": "root"
  },
  "serviceName": "Kms",
  "apiVersion": "2016-01-20",
  "requestId": "ab35a7a7-373a-4a36-a4f8-01fd6adcc6a0",
  "eventTime": "2021-08-05T09:21:32Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DescribeKey"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is root-account, which indicates an Alibaba Cloud account.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Kms, which indicates KMS.
  • eventName: the name of the event. The value in the example is DescribeKey, which indicates that the details of a key were queried.
  • requestParameters.KeyId: the ID of the key. The value in the example is 3a6a031d-87ad-4a84-9c17-aa22e0b0****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-hangzhou, which indicates the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T09:21:32Z, which indicates 17:21:32 on August 05, 2021, UTC+8.

Query the details of a key in the KMS console as a RAM user

The following sample event log indicates that the RAM user whose username is Alice queried the details of a key by using the KMS console at 16:53:03 on August 05, 2021, UTC+8. The specified key is in the China (Hangzhou) region and its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****.

{
  "eventId": "c8d094ca-64b8-49cf-bbf3-2a9b540abed9",
  "eventVersion": 1,
  "eventSource": "kms-intranet.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AliyunConsole",
  "eventType": "ApiCall",
  "userIdentity": {
    "accountId": "111737649404****",
    "principalId": "23899132441193****",
    "type": "ram-user",
    "userName": "Alice"
  },
  "serviceName": "Kms",
  "apiVersion": "2016-01-20",
  "requestId": "c8d094ca-64b8-49cf-bbf3-2a9b540abed9",
  "eventTime": "2021-08-05T08:53:03Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DescribeKey"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Kms, which indicates KMS.
  • eventName: the name of the event. The value in the example is DescribeKey, which indicates that the details of a key were queried.
  • requestParameters.KeyId: the ID of the key. The value in the example is e1ea5c30-04d3-41e4-b445-1eb5b656****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-hangzhou, which indicates the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T08:53:03Z, which indicates 16:53:03 on August 05, 2021, UTC+8.

Query the details of a key by calling the DescribeKey operation with an AccessKey pair used

The following sample event log indicates that the RAM user whose username is kms-test queried the details of a key by calling the DescribeKey operation at 17:02:30 on August 05, 2021, UTC+8. The RAM user used the AcccessKey pair whose ID is LTAI4GDYPA5jNycoezLH**** to initiate the API call. The specified key is in the China (Hangzhou) region and its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****.

{
  "eventId": "da43d031-cf5a-44ec-aec8-4a13f468aa12",
  "eventVersion": 1,
  "eventSource": "kms.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_212-b04 Core/4.5.1 HTTPClient/ApacheHttpClient",
  "eventType": "ApiCall",
  "userIdentity": {
    "accessKeyId": "LTAI4GDYPA5jNycoezLH****",
    "accountId": "164165083897****",
    "principalId": "21682348916186****",
    "type": "ram-user",
    "userName": "kms-test"
  },
  "serviceName": "Kms",
  "apiVersion": "2016-01-20",
  "requestId": "da43d031-cf5a-44ec-aec8-4a13f468aa12",
  "eventTime": "2021-08-05T09:02:30Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DescribeKey"
}

The sample event log contains the following key fields:

  • userIdentity.accessKeyId: the AccessKey ID that is used to initiate the API call. The value in the example is LTAI4GDYPA5jNycoezLH****.
  • userIdentity.principalId: the ID of the account to which the AccessKey pair belongs. The value in the example is 21682348916186****.
  • userIdentity.type: the identity type of the requester. The value in the example is ram-user, which indicates a RAM user.
  • userIdentity.userName: the username of the RAM user.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Kms, which indicates KMS.
  • eventName: the name of the event. The value in the example is DescribeKey, which indicates that the details of a key were queried.
  • requestParameters.KeyId: the ID of the key. The value in the example is e1ea5c30-04d3-41e4-b445-1eb5b656****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-hangzhou, which indicates the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T09:02:30Z, which indicates 17:02:30 on August 05, 2021, UTC+8.

Query the details of a key information by assuming a RAM role as a RAM user

The following sample event log indicates that a RAM user of the Alibaba Cloud account whose ID is 132295042695**** queried the details of a key at 17:20:28 on August 05, 2021, UTC+8. The RAM user assumed the RAM role whose name is aliyunedasdefaultrole of the Alibaba Cloud account whose ID is 119997133354****. The specified key is in the China (Hangzhou) region and its ID is e1ea5c30-04d3-41e4-b445-1eb5b656****.

{
  "eventId": "4e059394-8b95-4788-84cf-efe7aa8f6935",
  "eventVersion": 1,
  "eventSource": "kms.cn-hangzhou.aliyuncs.com",
  "requestParameters": {
    "KeyId": "e1ea5c30-04d3-41e4-b445-1eb5b656****",
    "stsTokenPlayerUid": "132295042695****"
  },
  "sourceIpAddress": "192.168.XX.XX",
  "userAgent": "AlibabaCloud (Linux; amd64) Java/1.8.0_92-b18 Core/4.5.6 HTTPClient/ApacheHttpClient",
  "eventType": "ApiCall",
  "userIdentity": {
    "accessKeyId": "STS.NUCmmh2n5RQcqryWqxsuv****",
    "accountId": "119997133354****",
    "principalId": "34933955188809****:fb23c186-5930-498a-a630-0a****",
    "type": "assumed-role",
    "userName": "aliyunedasdefaultrole:fb23c186-5930-498a-a630-0a****"
  },
  "serviceName": "Kms",
  "apiVersion": "2016-01-20",
  "requestId": "4e059394-8b95-4788-84cf-efe7aa8f6935",
  "eventTime": "2021-08-05T09:20:28Z",
  "isGlobal": false,
  "acsRegion": "cn-hangzhou",
  "eventName": "DescribeKey"
}

The sample event log contains the following key fields:

  • userIdentity.type: the identity type of the requester. The value in the example is assumed-role, which indicates a RAM role.
  • userIdentity.userName: the username of the requester. The value is in the format of {roleName}:{sessionName}. roleName indicates the name of the RAM role that was assumed. sessionName indicates the name that was specified when the RAM user assumed the RAM role. The value in the example is aliyunedasdefaultrole:fb23c186-5930-498a-a630-0a****, which indicates that the name of the RAM role that was assumed is aliyunedasdefaultrole, and the name that was specified when the RAM user assumed the RAM role is fb23c186-5930-498a-a630-0a****.
    Note By default, Enterprise Distributed Application Service (EDAS) assumes the aliyunedasdefaultrole role to access your resources in other cloud services.
  • requestParameters.stsTokenPlayerUid: the ID of the Alibaba Cloud account to which the RAM user belongs. The value in the example is 132295042695****.
  • serviceName: the name of the Alibaba Cloud service related to the event. The value in the example is Kms, which indicates KMS.
  • eventName: the name of the event. The value in the example is DescribeKey, which indicates that the details of a key were queried.
  • requestParameters.KeyId: the ID of the key. The value in the example is e1ea5c30-04d3-41e4-b445-1eb5b656****.
  • acsRegion: the region in which the event occurred. The value in the example is cn-hangzhou, which indicates the China (Hangzhou) region.
  • eventTime: the time when the event occurred in UTC. The value in the example is 2021-08-05T09:20:28Z, which indicates 17:20:28 on August 05, 2021, UTC+8.