Key Management Service (KMS) integrates with ActionTrail to record management events generated when you manage KMS resources using APIs or the Alibaba Cloud Management Console. Use the ActionTrail console to query these events for real-time auditing and to locate the causes of issues.
How event delivery works
ActionTrail captures KMS management events and can deliver them to the following destinations:
Simple Log Service Logstores — stream events for real-time search and analysis
Object Storage Service (OSS) buckets — archive events for storage and compliance audits
KMS generates management events when you manage cloud resources by using APIs or the Alibaba Cloud Management Console.
KMS management events
The following table lists the KMS management events that you can query in ActionTrail.
| Event name | Description |
|---|---|
| AsymmetricDecrypt | Decrypts data by using an asymmetric key. |
| AsymmetricEncrypt | Encrypts data by using an asymmetric key. |
| AsymmetricSign | Generates a signature by using an asymmetric key. |
| AsymmetricVerify | Verifies a signature by using an asymmetric CMK. |
| CancelKeyDeletion | Cancels the deletion of a key. |
| CertificatePrivateKeyDecrypt | Decrypts data by using a certificate. |
| CertificatePrivateKeySign | Generates a digital signature by using a certificate. |
| CertificatePublicKeyEncrypt | Encrypts data by using a certificate. |
| CertificatePublicKeyVerify | Verifies a digital signature by using a certificate. |
| CheckServiceLinkedRoleForDeleting | Checks whether a service-linked role can be deleted. |
| ConnectKeyStore | Enables a KMS instance. |
| ConnectKmsInstance | Enables a KMS instance. |
| CreateAlias | Creates an alias for a key. |
| CreateApplicationAccessPoint | Creates an application access point (AAP). |
| CreateCertificate | Creates a certificate. |
| CreateCertificateAuthority | Create a certificate authority (CA). |
| CreateClientKey | Creates a client key for an AAP. |
| CreateKey | Creates a key. |
| CreateKeyVersion | Creates a version for a key. |
| CreateNetworkRule | Creates a network access rule. |
| CreatePolicy | Creates an access control policy for an AAP. |
| CreateSecret | Creates a secret and stores the secret value in the initial version. |
| CreateKmsInstanceImageUpgradeTask | Creates an image upgrade task for a KMS instance. |
| CancelKmsInstanceImageUpgradeTask | Cancels an image upgrade task for a KMS instance. |
| RollbackKmsInstanceImageUpgradeTask | Rolls back an image upgrade task of a KMS instance. |
| DescribeKmsInstanceImageUpgradeTask | Queries the details of an image upgrade task of a KMS instance. |
| Decrypt | Decrypts ciphertext. |
| DeleteAlias | Deletes an alias. |
| DeleteApplicationAccessPoint | Deletes an AAP. |
| DeleteCertificate | Deletes a certificate and the private key and certificate chain of the certificate. |
| DeleteCertificateAuthority | Deletes a CA. |
| DeleteClientKey | Deletes the client key of an AAP. |
| DeleteKeyMaterial | Deletes imported key material. |
| DeleteNetworkRule | Deletes a network access rule of an AAP. |
| DeletePolicy | Deletes an access control policy of an AAP. |
| DeleteSecret | Deletes a secret. |
| DescribeAccessPoint | Queries the information about an AAP. |
| DescribeAccountKmsStatus | Queries the status of KMS within the current Alibaba Cloud account. |
| DescribeApplicationAccessPoint | Queries the details of an AAP. |
| DescribeCertificate | Queries the information about a certificate. |
| DescribeCertificateAuthority | Queries the CA information. |
| DescribeClusters | Queries the information about a cluster. |
| DescribeDBInstanceNetInfo | Queries the network information about an instance. |
| DescribeKey | Queries the details of a key. |
| DescribeKeyStores | Queries the details of a KMS instance. |
| DescribeKeyVersion | Queries the information about a key version. |
| DescribeNetworkRule | Queries the details of a network access rule of an AAP. |
| DescribePolicy | Queries the details of an access control policy of an AAP. |
| DescribeRegion | Queries available regions for the current account. |
| DescribeSecret | Queries the metadata of a secret. |
| DescribeService | Queries the key protection capabilities in a region. |
| DisableKey | Disables a key for encryption and decryption. |
| DisconnectKeyStore | Disables a KMS instance of the hardware key management type. |
| doCheckResource | Verifies the information about a tag. |
| doLogicalDeleteResource | Deletes a resource in a logical manner. |
| doPhysicalDeleteResource | Deletes a resource in a physical manner. |
| EnableKey | Enables a key for encryption and decryption. |
| Encrypt | Encrypts plaintext into ciphertext by using a symmetric key. |
| ExportCertificate | Exports a certificate and the private key of the certificate. |
| ExportDataKey | Encrypts a data key by using a public key and exports the data key. |
| GenerateAndExportDataKey | Generates a random data key, encrypts the data key by using a key and a public key, and then returns the key-encrypted data key ciphertext and the public key-encrypted data key ciphertext. |
| GenerateDataKey | Generates a random data key that is used to locally encrypt data. |
| GenerateDataKeyWithoutPlaintext | Generates a random data key that is used to locally encrypt data. The plaintext of the data key is not returned. |
| GetCertificate | Queries a certificate that is managed by Certificates Manager. |
| GetCertificateAuthorityCertificate | Queries the CAs of certificates that are managed by Certificates Manager. |
| GetCertificateAuthorityCsr | Queries the certificate signing request (CSR) files for certificates that are managed by Certificates Manager. |
| GetClientKey | Queries the information about a client key. |
| GetIssuedCertificate | Queries the certificate that is issued by a CA. |
| GetParametersForImport | Queries the parameters that are used for importing key material. |
| GetPublicKey | Queries the public key of an asymmetric key. |
| GetRandomPassword | Queries a random password string. |
| GetSecretValue | Queries a secret value. |
| GetConsumerTag | Queries a user tag. |
| GetDKMSMigratingDiagnosis | Checks whether a key can be migrated to KMS 3.0. |
| GetKmsInstance | Queries the details of a KMS instance. |
| ImportCertificate | Imports a certificate. |
| ImportCertificateAuthorityCertificate | Imports the certificate of a CA. |
| ImportEncryptionCertificate | Imports an encryption certificate. |
| ImportKeyMaterial | Imports key material. |
| IssueCertificate | Issues a certificate. |
| ListAccessPoints | Queries a list of AAPs. |
| ListAlias | Queries a list of aliases. |
| ListAliases | Queries all aliases of the current user in the current region. |
| ListAliasesByKeyId | Queries all aliases that are associated with a key. |
| ListApplicationAccessPoints | Queries a list of AAPs. |
| ListCertificateAuthorities | Queries a list of CAs. |
| ListCertificates | Queries a list of certificates. |
| ListClientKeys | Queries a list of the client keys of an AAP. |
| ListKeys | Queries all key IDs of the caller in the current region. |
| ListKeyVersions | Queries all versions of a key. |
| ListKmsInstances | Queries a list of KMS instances. |
| ListNetworkRules | Queries a list of the network access rules of an AAP. |
| ListPolicies | Queries a list of the access control policies of an AAP. |
| ListResourceTags | Queries the tags of a key. |
| ListSecrets | Queries all secrets of the current user in the current region. |
| ListSecretVersionIds | Queries all versions of a secret. |
| ListTagResources | Queries the tags of a key or a secret. |
| OpenKmsService | Activates KMS for the current Alibaba Cloud account. |
| OpenService | Activates KMS. |
| PutSecretValue | Stores the secret value of a new version into a secret. |
| ReEncrypt | Re-encrypts ciphertext. |
| RefreshAccessPointTokens | Updates the tokens for an AAP. |
| RestoreSecret | Restores a deleted secret. |
| RevokeIssuedCertificate | Revokes an issued certificate. |
| RotateSecret | Rotates a dynamic secret in a proactive manner. |
| ScheduleKeyDeletion | Schedules the deletion of a key. |
| SetDeletionProtection | Enables or disables the deletion protection feature. |
| SetKeyStoreAuditConfig | Configures KMS audit logs. |
| TagResource | Adds tags to a key or secret. |
| TagResources | Adds tags to keys or secrets. |
| UntagResource | Removes a tag from a key or secret. |
| UntagResources | Removes tags from keys or secrets. |
| UpdateAlias | Updates the ID of the key that is associated with an alias. |
| UpdateApplicationAccessPoint | Updates information about an AAP. |
| UpdateCertificateAuthority | Updates the CA configuration. |
| UpdateCertificateStatus | Updates the status of a certificate. |
| UpdateKeyDescription | Updates the description of a key. |
| UpdateKeyStore | Updates the information about a KMS instance. |
| UpdateKmsInstanceBindVpc | Updates the virtual private cloud (VPC) that is associated with a KMS instance. |
| UpdateNetworkRule | Updates a network access rule of an AAP. |
| UpdatePolicy | Updates an access control policy of an AAP. |
| UpdateRotationPolicy | Updates a key rotation policy. |
| UpdateSecret | Updates the metadata of a secret. |
| UpdateSecretRotationPolicy | Updates the rotation policy for a dynamic secret. |
| UpdateSecretVersionStage | Updates the stage label that marks a secret version. |
| UploadCertificate | Imports a certificate and a certificate chain issued by a CA into Certificates Manager. |
| ConnectDKMSInstance | Enables a KMS instance. |
| CreateBackup | Creates a backup instance. |
| CreateCheckAssociateResourceTask | Creates a task to check the cloud service resources that are associated with a key. |
| DeleteBackup | Deletes a backup instance. |
| DescribeBackups | Queries the details of a backup instance. |
| DescribeDKMSInstances | Queries a list of KMS instances. |
| DescribeIssuedCertificate | Queries a CA certificate of a KMS instance. |
| DescribeKMSInstances | Queries a list of KMS instances. |
| DescribeVpcs | Queries a list of VPCs. |
| DescribeZones | Queries the zones supported by a KMS instance. |
| DescribNetworkRule | Queries the details of a network access rule. |
| DisconnectDKMSInstance | Disables a KMS instance. |
| DownloadBackupData | Downloads backup data. |
| EnableBackup | Enables a backup instance. |
| GenerateKMSDataKey | Creates a data key. |
| GetCheckAssociateResourceTaskResults | Queries the result of a key association check task. |
| GetCrl | Queries a certificate. |
| GetKmsInstanceQuotaInfos | Queries the quotas of a KMS instance. |
| GetKmsInstanceSharedAccounts | Queries the quota occupied by a shared KMS instance. |
| GetSecreValue | Retrieves a secret. |
| GetUploadBackupDataInfo | Uploads data backup information. |
| ListBackups | Queries a list of backup instances. |
| ListMetaData | Queries the metadata of backup instance resources. |
| ListSpecifyRegionKmsInstances | Queries KMS instances in a region. |
| RecoverData | Restores backup data. |
| RecoverMigrationKeys | Restores migrated keys. |
| ResetBackup | Resets a backup instance. |
| UpdateDKMSInstance | Changes the name of a KMS instance. |
| UpdateDKMSInstanceConfig | Updates the configurations of a KMS instance. |