All Products
Document Center

ActionTrail:Audit events of KMS

Last Updated:Mar 31, 2023

Key Management Service (KMS) is integrated with ActionTrail. In the ActionTrail console, you can query the management events that are generated when you manage KMS resources. ActionTrail can deliver management events to Logstores in Log Service or Object Storage Service (OSS) buckets. This way, you can audit the events in real time and locate the causes of issues.

ActionTrail generates management events when you manage cloud resources by using APIs or the Alibaba Cloud Management Console. The following table describes the management events of KMS that you can query in the ActionTrail console.

Event nameDescription
AsymmetricDecryptDecrypts data by using an asymmetric customer master key (CMK).
AsymmetricEncryptEncrypts data by using an asymmetric CMK.
AsymmetricSignGenerates a signature by using an asymmetric CMK.
AsymmetricVerifyVerifies a signature by using an asymmetric CMK.
CancelKeyDeletionCancels the deletion of a CMK.
CertificatePrivateKeyDecryptDecrypts data by using a specified certificate.
CertificatePrivateKeySignGenerates a digital signature by using a specified certificate.
CertificatePublicKeyEncryptEncrypts data by using a specified certificate.
CertificatePublicKeyVerifyVerifies a digital signature by using a specified certificate.
CheckServiceLinkedRoleForDeletingChecks whether the service-linked role can be deleted.
ConnectKeyStoreEnables a dedicated KMS instance.
CreateAliasCreates an alias for a CMK.
CreateApplicationAccessPointCreates an application access point (AAP).
CreateCertificateCreates a certificate.
CreateCertificateAuthorityCreates a certificate authority (CA).
CreateClientKeyCreates a client key for an AAP.
CreateKeyCreates a CMK.
CreateKeyVersionCreates a version for a CMK.
CreateNetworkRuleCreates a network access rule.
CreatePolicyCreates an access control policy for an AAP.
CreateSecretCreates a secret and stores the secret value in the initial version.
DecryptDecrypts ciphertext.
DeleteAliasDeletes an alias.
DeleteApplicationAccessPointDeletes an AAP.
DeleteCertificateDeletes a certificate and the private key and certificate chain of the certificate.
DeleteCertificateAuthorityDeletes a CA.
DeleteClientKeyDeletes the client key of an AAP.
DeleteKeyMaterialDeletes the imported key material.
DeleteNetworkRuleDeletes a network access rule of an AAP.
DeletePolicyDeletes an access control policy of an AAP.
DeleteSecretDeletes a secret.
DescribeAccessPointQueries the information about an AAP.
DescribeAccountKmsStatusQueries the status of KMS for the current Alibaba Cloud account.
DescribeApplicationAccessPointQueries the details of an AAP.
DescribeCertificateQueries the information about a certificate.
DescribeCertificateAuthorityQueries the CA information.
DescribeClustersQueries the information about a cluster.
DescribeDBInstanceNetInfoQueries the network information of an instance.
DescribeKeyQueries the details of a CMK.
DescribeKeyStoresQueries the details of a dedicated KMS instance.
DescribeKeyVersionQueries the information about a specified CMK version.
DescribeNetworkRuleQueries the details of a network access rule of an AAP.
DescribePolicyQueries the details of an access control policy of an AAP.
DescribeRegionQueries available regions for the current account.
DescribeSecretQueries the metadata of a secret.
DescribeServiceQueries the key protection capabilities of a region.
DisableKeyDisables a specified CMK for encryption and decryption.
DisconnectKeyStoreDisconnects a dedicated KMS instance of the Standard edition from a hardware security module (HSM) cluster.
doCheckResourceVerifies tag information.
doLogicalDeleteResourceLogically deletes a resource.
doPhysicalDeleteResourcePhysically deletes a resource.
EnableKeyEnables a specified CMK for encryption and decryption.
EncryptEncrypts plaintext by using a symmetric CMK.
ExportCertificateExports a certificate and the private key of the certificate.
ExportDataKeyEncrypts a data key by using a specified public key and exports the data key.
GenerateAndExportDataKeyGenerates a random data key, encrypts the data key by using a specified CMK and public key, and returns the ciphertext generated by using the CMK and that generated by using the public key.
GenerateDataKeyGenerates a random data key that is used to locally encrypt data.
GenerateDataKeyWithoutPlaintextGenerates a random data key that is used to locally encrypt data. The plaintext of the data key is not returned.
GetCertificateQueries a certificate that is managed by Certificates Manager.
GetCertificateAuthorityCertificateQueries the CAs of certificates that are managed by Certificates Manager.
GetCertificateAuthorityCsrQueries the certificate signing request (CSR) files for certificates that are managed by Certificates Manager.
GetIssuedCertificateQueries the certificate that is issued by a CA.
GetParametersForImportQueries the parameters that are used to import key material for a CMK.
GetPublicKeyQueries the public key of an asymmetric CMK.
GetRandomPasswordQueries a random password string.
GetSecretValueQueries a secret value.
GetConsumerTagQueries a user tag.
ImportCertificateImports a certificate.
ImportCertificateAuthorityCertificateImports the certificate of a CA.
ImportEncryptionCertificateImports an encryption certificate.
ImportKeyMaterialImports key material.
IssueCertificateIssues a certificate.
ListAccessPointsQueries AAPs.
ListAliasQueries aliases.
ListAliasesQueries all aliases of the current user in the current region.
ListAliasesByKeyIdQueries all aliases that are bound to a specified CMK.
ListApplicationAccessPointsQueries AAPs.
ListCertificateAuthoritiesQueries CAs.
ListCertificatesQueries certificates.
ListClientKeysQueries the client keys of a specified AAP.
ListKeysQueries the IDs of all CMKs of the current Alibaba Cloud account in the current region.
ListKeyVersionsQueries all key versions of a CMK.
ListNetworkRulesQueries the network access rules of an AAP.
ListPoliciesQueries the access control policies of an AAP.
ListResourceTagsQueries the tags of a CMK.
ListSecretsQueries all secrets of the current user in the current region.
ListSecretVersionIdsQueries all versions of a secret.
OpenKmsServiceActivates KMS for the current Alibaba Cloud account.
OpenServiceActivates KMS.
PutSecretValueStores the secret value of a new version into a secret.
ReEncryptRe-encrypts ciphertext.
RefreshAccessPointTokensUpdates the tokens for an AAP.
RestoreSecretRestores a deleted secret.
RevokeIssuedCertificateRevokes an issued certificate.
RotateSecretProactively rotates a dynamic secret.
ScheduleKeyDeletionSchedules the deletion of a specified CMK.
SetDeletionProtectionEnables or disables deletion protection.
SetKeyStoreAuditConfigConfigures audit log settings for Dedicated KMS.
TagResourceConfigures tags for a CMK or secret.
UntagResourceRemoves a specified tag from a CMK or secret.
UpdateAliasBinds an existing alias to a different CMK ID.
UpdateApplicationAccessPointUpdates the AAP information.
UpdateCertificateAuthorityUpdates the CA configuration.
UpdateCertificateStatusUpdates the status of a certificate.
UpdateKeyDescriptionUpdates the description of a CMK.
UpdateKeyStoreUpdates the information about a dedicated KMS instance.
UpdateNetworkRuleUpdates a network access rule of an AAP.
UpdatePolicyUpdates an access control policy of an AAP.
UpdateRotationPolicyUpdates a key rotation policy.
UpdateSecretUpdates the metadata of a secret.
UpdateSecretRotationPolicyUpdates the rotation policy for a dynamic secret.
UpdateSecretVersionStageUpdates the stage label that marks a secret version.
UploadCertificateImports a certificate and a certificate chain issued by a CA into Certificates Manager.