Key Management Service:Enable security audit

Limitations

• Security audit is a beta feature, available only for general virtual security modules (GVSMs) and electronic virtual security modules (EVSMs).

• Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), and China (Chengdu).

• Security audit is region-scoped. To audit HSMs in multiple regions, enable it separately in each region.

What the audit logs cover

The audit logs record key operations performed on your HSMs, including:

• Registering administrators

• Adding keys and exporting keys

Logs are stored as files in your OSS bucket and can be used for compliance and audit requirements.

Prerequisites

Before you begin, make sure you have:

• A purchased and enabled HSM instance. See Purchase an HSM instance

• An OSS bucket created in the same region as your HSMs. See Get started by using the OSS console

Enable security audit

1. Log on to the Cloud Hardware Security Module console and click Security Audit Beta in the left navigation pane.

2. On the Security Audit page, click Enable Security Audit, then click Authorize. After authorization, HSM automatically creates a service-linked role named AliyunServiceRoleForHSMLogDelivery with read and write permissions on your OSS bucket. For details, see Service-linked role for HSM.

   

3. In the OSS Bucket drop-down list, select the bucket where you want to store HSM audit logs, then click OK. When the switch turns green and Enabled is displayed, security audit is active. Audit logs for all HSM instances in the current region are delivered to the bucket shown in the Audit Log Delivery Rule section.

   

   

Disable security audit

On the Security Audit page, click the switch next to Enabled. In the Disable Security Audit dialog box, click Close.