All Products
Search

This Product

    Key Management Service:Enable security audit

    Document Center

    Key Management Service:Enable security audit

    Last Updated:Apr 22, 2025

    After you purchase Cloud Hardware Security Module (HSM), you can enable security audit to automatically and persistently store the running data of your HSMs in Object Storage Service (OSS) buckets in the format of audit logs. The audit log records actions like registering administrators, adding keys, and exporting keys. It helps meet compliance and audit requirements. Learn how to enable it in this topic.

    Prerequisites

    • An HSM is purchased and enabled.

    • OSS is enabled, and a bucket is created. For more information, see Get started by using the OSS console.

      Important

      • The region of the bucket must be the same as the one where you want to enable the security audit feature.

      • After enabling the security audit feature, do not delete the OSS bucket, to ensure the successful delivery of the audit files.

    Limits

    • You cannot enable the security audit feature across regions. For example, to enable it for the HSMs in both Region A and Region B, you must do so respectively for both regions.

    • The security audit feature is now a beta version and only available for general virtual security modules (GVSMs) and electronic virtual security modules (EVSMs).

    • The regions that support the security audit feature are China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), and China (Chengdu).

    Procedure

    1. Log on to the Cloud Hardware Security Module console and click Security Audit Beta in the navigation pane on the left.

    2. On the Security Audit page, click Enable Security Audit, then click Authorize.

      开通安全审计服务-1

      After the authorization is complete, HSM automatically creates a service-linked role named AliyunServiceRoleForHSMLogDelivery. The role has the read and write permissions on your OSS bucket. For more information, see Service-linked role for HSM.

    3. In the OSS Bucket drop-down list, select the bucket where you want to store the HSM audit logs and click OK.

      Security Audit Service page

      When the switch is green and Enabled is displayed, the security audit feature is enabled, and the audit logs of all HSM instances in the current region are stored in the bucket displayed in the Audit Log Delivery Rule section.Successful activation of the Security Audit Service

    Disable the security audit feature

    On the Security Audit page, click the switch next to Enabled. In the Disable Security Audit dialog box, click Close.