Dedicated Key Management Service (KMS) instances of the Standard edition support four management operations while in the Enabled state: querying instance details, disconnecting from a dedicated Hardware Security Module (HSM) cluster, reconnecting to a dedicated HSM cluster, and enabling the security audit feature.
Query a dedicated KMS instance
Retrieve the instance ID, Virtual Private Cloud (VPC) address (endpoint), VPC ID, and associated dedicated HSM cluster from the KMS console.
The VPC address is the endpoint for the dedicated KMS instance. It uses the format https://{instance-ID}.cryptoservice.kms.aliyuncs.com.
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance resides.
In the left-side navigation pane, click Dedicated KMS.
Find the target instance and click Details in the Actions column.
The Details panel shows the instance ID, VPC address, VPC ID, and associated HSM cluster.
Disconnect a dedicated KMS instance from a dedicated HSM cluster
If you want to disassociate a dedicated KMS instance from a dedicated HSM cluster, you must disconnect the instance from the dedicated HSM cluster.
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance resides.
In the left-side navigation pane, click Dedicated KMS.
Find the target instance and click Details in the Actions column.
Click Disconnect to the right of Dedicated HSM Cluster.
In the Disconnect dialog box, click Disconnect.
The instance status changes from Enabled to Disabled, confirming the disconnection.
Reconnect a dedicated KMS instance to a dedicated HSM cluster
To reconnect, configure the access credential and click Connect to HSM. The instance status transitions from Creating to Enabled within a few minutes.
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance resides.
In the left-side navigation pane, click Dedicated KMS.
Find the target instance and click Enable in the Actions column.
In the Connect to HSM dialog box, configure the Configure Access Credential parameter and click Connect to HSM.
Wait a few minutes. The instance status changes from Creating to Enabled, confirming the reconnection.
Enable the security audit feature
The security audit feature delivers audit logs to an Object Storage Service (OSS) bucket on an hourly basis. Each log entry records the request details, user information, accessed resource, and operation result. A sample log entry:
2021-10-19T21:40:01 [INFO] - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -Prerequisites
Before you begin, ensure that an OSS bucket is available. See Create buckets if you need to create one.
Supported regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
Steps
Log on to the KMS console.
In the top navigation bar, select the region where your dedicated KMS instance resides.
In the left-side navigation pane, click Dedicated KMS.
Find the target instance and click Details in the Actions column.
In the Details panel, turn on Security Audit.
In the Configure Security Audit dialog box, select the destination bucket from the Destination Bucket drop-down list.
Click OK.
The Security Audit status changes from Disabled to Enabled.