Use ActionTrail to query events related to KMS keys - ActionTrail

You can use ActionTrail to monitor the usage of keys in Key Management Service (KMS) to detect abnormal activities, unauthorized operations, or potential security risks at the earliest opportunity. Effective monitoring and auditing can help you manage and protect KMS keys to ensure data security and compliance. This topic describes how to use the advanced event query feature of ActionTrail to query the management records and usage of KMS keys.

Prerequisites

Simple Log Service is activated. For more information, see Getting Started.
Note
You are not charged when you activate Simple Log Service. You are charged when you deliver audit events to Simple Log Service and query and analyze data in Simple Log Service. For more information, see Billing overview.
A trail that meets the following conditions is created:
- The trail delivers events in all regions.
- The trail delivers events of the management event type.
- All is selected for the Management Event parameter.
- The trail delivers events to Simple Log Service.
Note
If no trail is created within the current account or existing trails do not meet the conditions, create an eligible trail. For more information, see Create a single-account trail or Create a multi-account trail.
The advanced event query feature is enabled for an eligible trail. For more information, see Enable the advanced event query feature.

Scenario 1: Query the records of creating, deleting, enabling, and disabling KMS keys

Log on to the ActionTrail console.
In the left-side navigation pane, choose Events > Advanced Event Query.
In the left-side Query Range pane, select the trail that you want to manage.
On the Default tab, configure the following query conditions.
- Set Service Name to Key Management Service (Kms).
- Set Event Name to CreateKey, ScheduleKeyDeletion, EnableKey, and DisableKey.
Specify a query time range and click Run.
View the query results.
- Raw Log
  On the Raw Log tab, view all records of creating, deleting, enabling, and disabling KMS keys within the specified time range. Find an event and click View Event Details in the Actions column to view the basic information and logs of the event.
- Query Histogram
  On the Query Histogram tab, view the histogram of events.
Optional. Execute an SQL statement to query the information about a specific operation, such as the operator, event, and key ID.
1. Turn off Simple Mode in the upper-right corner and enter the following query statement:
```
event.serviceName:Kms AND (event.eventName:CreateKey OR event.eventName:ScheduleKeyDeletion OR event.eventName:EnableKey OR event.eventName:DisableKey)
| SELECT date_format(__time__, '%Y-%m-%d %H:%i:%s') as time,"event.eventName" as eventName,"event.userIdentity.userName" as user,"event.resourceName" as keyId
```
2. Specify a query time range and click Run.
3. View the query results.
  - Aggregation Analysis
    On the Aggregation Analysis tab, view information that is returned after filtering, such as the operation time, related event, operator, and key ID.
  - Raw Log
    On the Raw Log tab, find an event and click View Event Details in the Actions column to view the basic information and logs of the event.
  - Query Histogram
    On the Query Histogram tab, view the histograms of events.

Scenario 2: Query the usage of a KMS key

Log on to the ActionTrail console.
In the left-side navigation pane, choose Events > Advanced Event Query.
In the left-side Query Range pane, select the trail that you want to manage.
Turn off Simple Mode in the upper-right corner and enter the ID of the KMS key that you want to query.
Specify a query time range and click Run.
View the query results.
- Raw Log
  On the Raw Log tab, view the events that are related to the key ID within the specified time range. Find the event that you want to view and click View Event Details in the Actions column to view the basic information and logs of the event.
- Query Histogram
  On the Query Histogram tab, view the histograms of events.
Optional. Execute an SQL statement to collect call statistics on a key, such as the event name and IP address.
1. On the Default tab, enter the following query statement:
```
"<YourKmsKeyId>" | SELECT DISTINCT "event.eventName" as eventName,"event.sourceIpAddress" as ip,count(*) as num GROUP BY eventName,ip ORDER BY count(*) DESC
```
  Note
  Replace <YourKmsKeyId> with the ID of your KMS key.
2. Specify a query time range and click Run.
3. View the query results.
  - Aggregation Analysis
    On the Aggregation Analysis tab, view the call statistics such as the related events, IP addresses, and number of calls.
  - Raw Log
    On the Raw Log tab, find the event that you want to view and click View Event Details in the Actions column to view the basic information and logs of the event.
  - Query Histogram
    On the Query Histogram tab, view the histograms of events.

References

You can also use the event query feature of ActionTrail to query the KMS events that are generated in the previous 90 days. For more information, see Query events in the ActionTrail console.
For more information about how to query the events of KMS, see Query the usage records of keys and secrets.