Secrets Manager delivers rotation events for dynamic Elastic Compute Service (ECS) secrets to CloudMonitor. By querying these events and setting up event-triggered alert rules in the CloudMonitor console, you can receive alert notifications and automate event handling — for example, using Function Compute to automatically remediate failed rotations.
Prerequisites
Before you begin, ensure that you have access to the .
Query rotation events
Log on to the CloudMonitor console.
In the left-side navigation pane, choose Event Center > System Event.
On the System Event page, click the Event Monitoring tab.
Select Key Management Service from the All Products drop-down list. Specify the alert level, event name, and time range to filter results.
Find the target event in the list and click Details in the rightmost column.
Create an event-triggered alert rule
On the System Event page, click the Event-triggered Alert Rules tab, then click Create Alert Rule.
In the Create/Modify Event-triggered Alert Rule panel, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Alert rule name | A name for the alert rule. For example: secrets_rotation_failed or secrets_rotation_success. |
| Product type | Select Key Management Service (KMS). |
| Event type | Controls which rotation outcomes trigger alerts. Select Exception to alert on failed rotations only, or Notification to alert on successful rotations only. Selecting both sends an alert for every rotation regardless of outcome. To monitor failures and successes separately, create two rules with different event types. |
| Event level | The severity level of the event. Select CRITICAL for failed rotations or INFO for successful rotations. |
| Event name | The event identifier to monitor. Select Secret:RotateSecret:Failure for failed rotations or Secret:RotateSecret:Success for successful rotations. Avoid selecting both values in the same rule — create separate rules at different alert levels based on the business impact of each outcome. |
| Keyword filtering | Filters alert rules by keyword. Contains any of the keywords sends an alert if the rule contains any specified keyword. Does not contain any of the keywords sends an alert if none of the specified keywords are present. |
| SQL filter | An SQL statement to filter alert rules. |
| Resource range | Select All Resources to apply the rule to all resources. CloudMonitor sends alert notifications for the specified events across all resources. |
| Notification method | Configures how alerts are delivered and how events are processed. For alert delivery, select a Contact Group and a notification method: Critical (phone call + text message + email + webhook), Warning (SMS + text message + webhook), or Info (email + webhook). For automated event handling, select Simple Message Queue (formerly MNS), Function Compute, URL Callback, or Log Service. |
| Mute for | The interval at which alert notifications are resent if the alert is not cleared. |
Alert notification content
Alert notifications follow the format <Resource type>:<Operation>:<Result>. The event payload includes a content field with details specific to each rotation outcome.
Failed rotation: Secret:RotateSecret:Failure
Check the failureInfo field in content to identify the failure cause.
{
"product": "KMS",
"eventTime": "20180816T135935.689+0800",
"level": "CRITICAL",
"name": "Secret:RotateSecret:Failure",
"regionId": "cn-hangzhou",
"resourceId": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
"status": "Failed",
"content": {
"eventId": "eventId",
"secretName": "SecretName",
"secretType": "ECS",
"RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
"rotationStatus": "Invalid",
"rotationSubType": "Password",
"failureInfo": {
"errorCode": "Kms:ErrorCode",
"errorMessage": "errorMessage"
},
"failureTime": "2012-03-12T05:55:36Z"
},
"ver": "1.0"
}Key fields for failure events:
| Field | Type | Description |
|---|---|---|
level | string | Severity of the event. CRITICAL for failed rotations. |
status | string | Overall status. Failed for failed rotations. |
content.rotationStatus | string | Rotation state. Invalid indicates the rotation failed. |
content.rotationSubType | string | The credential subtype being rotated, for example Password. |
content.failureInfo.errorCode | string | The error code that identifies the failure cause. |
content.failureInfo.errorMessage | string | A human-readable description of the failure. |
content.failureTime | string | The timestamp when the rotation failed (ISO 8601). |
Successful rotation: Secret:RotateSecret:Success
{
"product": "KMS",
"instanceName": "secretId",
"level": "INFO",
"name": "Secret:RotateSecret:Success",
"regionId": "cn-hangzhou",
"resourceId": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
"status": "Normal",
"content": {
"eventId": "eventId",
"secretName": "SecretName",
"secretType": "ECS",
"RotationEntityArn": "acs:kms:cn-hangzhou:188989715694****:secret/secretName",
"rotationStatus": "Enabled",
"secretSubType": "Password",
"successTime": "2012-03-12T05:55:36Z"
},
"ver": "1.0"
}Key fields for success events:
| Field | Type | Description |
|---|---|---|
level | string | Severity of the event. INFO for successful rotations. |
status | string | Overall status. Normal for successful rotations. |
content.rotationStatus | string | Rotation state. Enabled indicates the rotation succeeded. |
content.secretSubType | string | The credential subtype that was rotated, for example Password. |
content.successTime | string | The timestamp when the rotation completed (ISO 8601). |