All Products
Search

This Product

    Key Management Service:Audit events of KMS

    Document Center

    Key Management Service:Audit events of KMS

    Last Updated:Nov 29, 2023

    Key Management Service (KMS) is integrated with ActionTrail. In the ActionTrail console, you can query the management events that are generated when you manage KMS resources. KMS can deliver management events to Logstores in Simple Log Service or Object Storage Service (OSS) buckets. This way, you can audit the events in real time and locate the causes of issues.

    KMS generates management events when you manage cloud resources by using APIs or the Alibaba Cloud Management Console. The following table describes the management events of KMS that you can query in the ActionTrail console.

    Event name

    Description

    AsymmetricDecrypt

    Decrypts data by using an asymmetric key.

    AsymmetricEncrypt

    Encrypts data by using an asymmetric key.

    AsymmetricSign

    Generates a signature by using an asymmetric key.

    AsymmetricVerify

    Verifies a signature by using an asymmetric key.

    CancelKeyDeletion

    Cancels the deletion of a key.

    CertificatePrivateKeyDecrypt

    Decrypts data by using a certificate.

    CertificatePrivateKeySign

    Generates a digital signature by using a certificate.

    CertificatePublicKeyEncrypt

    Encrypts data by using a certificate.

    CertificatePublicKeyVerify

    Verifies a digital signature by using a certificate.

    CheckServiceLinkedRoleForDeleting

    Checks whether a service-linked role can be deleted.

    ConnectKeyStore

    Enables a KMS instance.

    ConnectKmsInstance

    Enables a KMS instance.

    CreateAlias

    Creates an alias for a key.

    CreateApplicationAccessPoint

    Creates an application access point (AAP).

    CreateCertificate

    Creates a certificate.

    CreateCertificateAuthority

    Create a certificate authority (CA).

    CreateClientKey

    Creates a client key for an AAP.

    CreateKey

    Creates a key.

    CreateKeyVersion

    Creates a version for a key.

    CreateNetworkRule

    Creates a network access rule.

    CreatePolicy

    Creates an access control policy for an AAP.

    CreateSecret

    Creates a secret and stores the secret value in the initial version.

    Decrypt

    Decrypts ciphertext.

    DeleteAlias

    Deletes an alias.

    DeleteApplicationAccessPoint

    Deletes an AAP.

    DeleteCertificate

    Deletes a certificate and the private key and certificate chain of the certificate.

    DeleteCertificateAuthority

    Deletes a CA.

    DeleteClientKey

    Deletes the client key of an AAP.

    DeleteKeyMaterial

    Deletes imported key material.

    DeleteNetworkRule

    Deletes a network access rule of an AAP.

    DeletePolicy

    Deletes an access control policy of an AAP.

    DeleteSecret

    Deletes a secret.

    DescribeAccessPoint

    Queries the information about an AAP.

    DescribeAccountKmsStatus

    Queries the status of KMS within the current Alibaba Cloud account.

    DescribeApplicationAccessPoint

    Queries the details of an AAP.

    DescribeCertificate

    Queries the information about a certificate.

    DescribeCertificateAuthority

    Queries the CA information.

    DescribeClusters

    Queries the information about a cluster.

    DescribeDBInstanceNetInfo

    Queries the network information about an instance.

    DescribeKey

    Queries the details of a key.

    DescribeKeyStores

    Queries the details of a KMS instance.

    DescribeKeyVersion

    Queries the information about a key version.

    DescribeNetworkRule

    Queries the details of a network access rule of an AAP.

    DescribePolicy

    Queries the details of an access control policy of an AAP.

    DescribeRegion

    Queries available regions for the current account.

    DescribeSecret

    Queries the metadata of a secret.

    DescribeService

    Queries the key protection capabilities in a region.

    DisableKey

    Disables a key for encryption and decryption.

    DisconnectKeyStore

    Disables a KMS instance of the hardware key management type.

    doCheckResource

    Verifies the information about a tag.

    doLogicalDeleteResource

    Deletes a resource in a logical manner.

    doPhysicalDeleteResource

    Deletes a resource in a physical manner.

    EnableKey

    Enables a key for encryption and decryption.

    Encrypt

    Encrypts plaintext into ciphertext by using a symmetric key.

    ExportCertificate

    Exports a certificate and the private key of the certificate.

    ExportDataKey

    Encrypts a data key by using a public key and exports the data key.

    GenerateAndExportDataKey

    Generates a random data key, encrypts the data key by using a key and a public key, and then returns the key-encrypted data key ciphertext and the public key-encrypted data key ciphertext.

    GenerateDataKey

    Generates a random data key that is used to locally encrypt data.

    GenerateDataKeyWithoutPlaintext

    Generates a random data key that is used to locally encrypt data. The plaintext of the data key is not returned.

    GetCertificate

    Queries a certificate that is managed by Certificates Manager.

    GetCertificateAuthorityCertificate

    Queries the CAs of certificates that are managed by Certificates Manager.

    GetCertificateAuthorityCsr

    Queries the certificate signing request (CSR) files for certificates that are managed by Certificates Manager.

    GetClientKey

    Queries the information about a client key.

    GetIssuedCertificate

    Queries the certificate that is issued by a CA.

    GetParametersForImport

    Queries the parameters that are used for importing key material.

    GetPublicKey

    Queries the public key of an asymmetric key.

    GetRandomPassword

    Queries a random password string.

    GetSecretValue

    Queries a secret value.

    GetConsumerTag

    Queries a user tag.

    GetDKMSMigratingDiagnosis

    Checks whether a key can be migrated to KMS 3.0.

    GetKmsInstance

    Queries the details of a KMS instance.

    ImportCertificate

    Imports a certificate.

    ImportCertificateAuthorityCertificate

    Imports the certificate of a CA.

    ImportEncryptionCertificate

    Imports an encryption certificate.

    ImportKeyMaterial

    Imports key material.

    IssueCertificate

    Issues a certificate.

    ListAccessPoints

    Queries a list of AAPs.

    ListAlias

    Queries a list of aliases.

    ListAliases

    Queries all aliases of the current user in the current region.

    ListAliasesByKeyId

    Queries all aliases that are associated with a key.

    ListApplicationAccessPoints

    Queries a list of AAPs.

    ListCertificateAuthorities

    Queries a list of CAs.

    ListCertificates

    Queries a list of certificates.

    ListClientKeys

    Queries a list of the client keys of an AAP.

    ListKeys

    Queries all key IDs of the caller in the current region.

    ListKeyVersions

    Queries all versions of a key.

    ListKmsInstances

    Queries a list of KMS instances.

    ListNetworkRules

    Queries a list of the network access rules of an AAP.

    ListPolicies

    Queries a list of the access control policies of an AAP.

    ListResourceTags

    Queries the tags of a key.

    ListSecrets

    Queries all secrets of the current user in the current region.

    ListSecretVersionIds

    Queries all versions of a secret.

    ListTagResources

    Queries the tags of a key or a secret.

    OpenKmsService

    Activates KMS for the current Alibaba Cloud account.

    OpenService

    Activates KMS.

    PutSecretValue

    Stores the secret value of a new version into a secret.

    ReEncrypt

    Re-encrypts ciphertext.

    RefreshAccessPointTokens

    Updates the tokens for an AAP.

    RestoreSecret

    Restores a deleted secret.

    RevokeIssuedCertificate

    Revokes an issued certificate.

    RotateSecret

    Rotates a dynamic secret in a proactive manner.

    ScheduleKeyDeletion

    Schedules the deletion of a key.

    SetDeletionProtection

    Enables or disables deletion protection.

    SetKeyStoreAuditConfig

    Configures KMS audit logs.

    TagResource

    Adds tags to a key or secret.

    TagResources

    Adds tags to keys or secrets.

    UntagResource

    Removes a tag from a key or secret.

    UntagResources

    Removes tags from keys or secrets.

    UpdateAlias

    Updates the ID of the key that is associated with an alias.

    UpdateApplicationAccessPoint

    Updates information about an AAP.

    UpdateCertificateAuthority

    Updates the CA configuration.

    UpdateCertificateStatus

    Updates the status of a certificate.

    UpdateKeyDescription

    Updates the description of a key.

    UpdateKeyStore

    Updates the information about a KMS instance.

    UpdateKmsInstanceBindVpc

    Updates the virtual private cloud (VPC) that is associated with a KMS instance.

    UpdateNetworkRule

    Updates a network access rule of an AAP.

    UpdatePolicy

    Updates an access control policy of an AAP.

    UpdateRotationPolicy

    Updates a key rotation policy.

    UpdateSecret

    Updates the metadata of a secret.

    UpdateSecretRotationPolicy

    Updates the rotation policy for a dynamic secret.

    UpdateSecretVersionStage

    Updates the stage label that marks a secret version.

    UploadCertificate

    Imports a certificate and a certificate chain issued by a CA into Certificates Manager.

    ConnectDKMSInstance

    Enables a KMS instance.

    CreateBackup

    Creates a backup instance.

    CreateCheckAssociateResourceTask

    Creates a task to check the cloud service resources that are associated with a key.

    DeleteBackup

    Deletes a backup instance.

    DescribeBackups

    Queries the details of a backup instance.

    DescribeDKMSInstances

    Queries a list of KMS instances.

    DescribeIssuedCertificate

    Queries a CA certificate of a KMS instance.

    DescribeKMSInstances

    Queries a list of KMS instances.

    DescribeVpcs

    Queries a list of VPCs.

    DescribeZones

    Queries the zones supported by a KMS instance.

    DescribNetworkRule

    Queries the details of a network access rule.

    DisconnectDKMSInstance

    Disables a KMS instance.

    DownloadBackupData

    Downloads backup data.

    EnableBackup

    Enables a backup instance.

    GenerateKMSDataKey

    Creates a data key.

    GetCheckAssociateResourceTaskResults

    Queries the result of a key association check task.

    GetCrl

    Queries a certificate.

    GetKmsInstanceQuotaInfos

    Queries the quotas of a KMS instance.

    GetKmsInstanceSharedAccounts

    Queries the quota occupied by a shared KMS instance.

    GetSecreValue

    Retrieves a secret.

    GetUploadBackupDataInfo

    Uploads data backup information.

    ListBackups

    Queries a list of backup instances.

    ListMetaData

    Queries the metadata of backup instance resources.

    ListSpecifyRegionKmsInstances

    Queries KMS instances in a region.

    RecoverData

    Restores backup data.

    RecoverMigrationKeys

    ResetBackup

    Resets a backup instance.

    UpdateDKMSInstance

    Changes the name of a KMS instance.

    UpdateDKMSInstanceConfig

    Updates the configurations of a KMS instance.