Document Center

All Products

Document Center

Key Management Service:Alert events

Last Updated:Dec 02, 2025

Key Management Service (KMS) integrates with Cloud Monitor (CMS) to monitor system events and provide alerts. This integration helps you stay informed about events and handle them promptly. This topic describes how to query system events and set alerts.

KMS system event types

System events do not require manual configuration. When the trigger conditions for a system event are met, the event is automatically displayed in the Key Management Service console and the CloudMonitor console. To receive alert notifications for events, you must set them in the CloudMonitor console. For more information, see Set alert notifications for system events in this topic.

System event	Event level	Trigger condition
QPS is approaching the upper limit	Critical	This event is triggered when the real-time queries per second (QPS) of a KMS instance reaches 90% of its quota.
Key scheduled for deletion	Warning	This event is triggered when a key is scheduled for deletion.
Key deleted	Warning	This event is triggered when a key is deleted.
Credential scheduled for deletion	Warning	This event is triggered when a credential is scheduled for deletion.
Credential deleted	Warning	This event is triggered when a credential is deleted.
Managed credential rotation failed	Critical	This event is triggered when a credential rotation fails.
Managed credential rotation succeeded	Info	This event is triggered when a credential rotation succeeds.
Key sync failed	Critical	This event is triggered when a key in a KMS instance fails to sync across regions. For more information, see Cross-region synchronization.
Key sync succeeded	Info	This event is triggered when a key in a KMS instance successfully syncs across regions. For more information, see Cross-region synchronization.
ClientKey expiration reminder	Critical	This event is triggered 180, 90, 30, and 7 days before a ClientKey expires. For more information about ClientKeys, see Overview of application access points.

The following sections describe the JSON format and content fields for each event notification.

QPS is approaching the upper limit

{
    "product": "kms",
    "resourceId": "acs:kms:cn-shanghai:119285********60:instance/<resource-id>",
    "level": "CRITICAL",
    "instanceName": "instanceName",
    "regionId": "cn-hangzhou",
    "name": "Instance:QPS:Reminder",
    "content": {
        "eventId": "119285********60:0d603b4a-********71:175*****07",
        "qps": "***",
        "kmsInstanceId": "kst***pn8",
        "time": "2025-08-26 05:43:00",
        "qpsQuota": "***"
    },
    "status": "normal"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
qps	The current QPS.	10000 per second
kmsInstanceId	The KMS instance ID.	kst***pn8
qpsQuota	The QPS limit.	10000 per second

Key scheduled for deletion

{
    "id": "83d05dd6-1066-4b3f-99be-********19",
    "status": "normal",
    "instanceName": "0d603b4a-********71be",
    "resourceId": "acs:kms:cn-hangzhou:119285********60:key/0d603b4a-********71be",
    "content": {
        "eventId": "119285********60:0d603b4a-********71:175*****07",
        "keyId": "0d603b4a-********71be",
        "deleteEntityArn": "acs:kms:cn-hangzhou:119285********60:key/0d603b4a-********71be",
        "plannedDeleteTime": "2025-09-01T07:15:07Z"
    },
    "product": "kms",
    "time": 1756106122000,
    "level": "WARN",
    "regionId": "cn-hangzhou",
    "groupId": "0",
    "name": "Key:DeleteKey:ScheduleDeletion"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
keyId	The key ID.	0d603b4a-********71be
deleteEntityArn	The Alibaba Cloud Resource Name (ARN) of the resource to be deleted.	acs:kms:cn-hangzhou:119285******60:key/0d603b4a-******71be
plannedDeleteTime	The scheduled deletion time.	2025-09-01T07:15:07Z

Key deleted

{
    "id": "40d14dbc-5b49-481f-********ce",
    "status": "normal",
    "instanceName": "key-hzz68916ed********q4",
    "resourceId": "acs:kms:cn-hangzhou:119285********60:key/key-hzz6********pq4",
    "content": {
        "eventId": "119285********60:key-hzz6********pq4:1755855590",
        "keyId": "0d603b4a-********71be",
        "deleteEntityArn": "acs:kms:cn-hangzhou:119285********60:key/0d603b4a-********71be",
        "deleteTime": "2025-08-22T09:39:50Z"
    },
    "product": "kms",
    "time": 1755855632000,
    "level": "WARN",
    "regionId": "cn-hangzhou",
    "groupId": "0",
    "name": "Key:DeleteKey:ActualDeletion"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
keyId	The key ID.	0d603b4a-********71be
deleteEntityArn	The ARN of the deleted resource.	acs:kms:cn-hangzhou:119285******60:key/0d603b4a-******71be
deleteTime	The actual key deletion time.	2025-08-22T09:39:50Z

Credential scheduled for deletion

{
    "id": "a065edc8-*******f9ba432",
    "status": "normal",
    "instanceName": "XrGpwbua",
    "resourceId": "acs:kms:cn-shanghai:119285********60:secret/XrGpwbua",
    "content": {
        "eventId": "119285********60:XrGpwbua:175*****45",
        "secretName": "XrGpwbua",
        "deleteEntityArn": "acs:kms:cn-shanghai:119285********60:secret/XrGpwbua",
        "plannedDeleteTime": "2025-09-01T06:10:45Z"
    },
    "product": "kms",
    "time": 1756102268000,
    "level": "WARN",
    "regionId": "cn-shanghai",
    "groupId": "0",
    "name": "Secret:DeleteSecret:ScheduleDeletion"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
secretName	The credential name.	XrGpwbua
deleteEntityArn	The ARN of the resource to be deleted.	acs:kms:cn-shanghai:119285********60:secret/XrGpwbua
plannedDeleteTime	The scheduled credential deletion time.	2025-08-22T09:39:50Z

Credential deleted

{
    "id": "a065edc8-********ba432",
    "status": "normal",
    "instanceName": "XrGpwbua",
    "resourceId": "acs:kms:cn-shanghai:119285********60:secret/XrGpwbua",
    "content": {
        "eventId": "119285********60:XrGpwbua:1756102245",
        "secretName": "XrGpwbua",
        "deleteEntityArn": "acs:kms:cn-shanghai:119285********60:secret/XrGpwbua",
        "deleteTime": "2025-09-01T06:10:45Z"
    },
    "product": "kms",
    "time": 1756102268000,
    "level": "WARN",
    "regionId": "cn-shanghai",
    "groupId": "0",
    "name": "Secret:DeleteSecret:ScheduleDeletion"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
secretName	The credential name.	XrGpwbua
deleteEntityArn	The ARN of the deleted resource.	acs:kms:cn-shanghai:119285********60:secret/XrGpwbua
deleteTime	The actual credential deletion time.	2025-08-22T09:39:50Z

Managed credential rotation failed

{
    "id": "ac54ac2b-********01aba",
    "status": "Failed",
    "instanceName": "acs/ecs/secret_rotator",
    "resourceId": "acs:kms:cn-chengdu:119285********60:secret/acs/ecs/secret_rotator",
    "content": {
        "eventId": "119285********60:acs/ecs/secret_rotator:1755853996",
        "secretName": "acs/ecs/secret_rotator",
        "secretType": "ECS",
        "rotationEntityArn": "acs:kms:cn-chengdu:119285********60:secret/acs/ecs/secret_rotator",
        "rotationStatus": "Enabled",
        "secretSubType": "ECSLoginPassword",
        "failureInfo": {
            "errorCode": "RotateError",
            "errorMessage": "output , err stdout:[Module:DescribeECSInstances failed] "
        },
        "failureTime": "2025-08-22T09:13:16Z"
    },
    "product": "kms",
    "time": 1755854045000,
    "level": "CRITICAL",
    "regionId": "cn-chengdu",
    "groupId": "0",
    "name": "Secret:RotateSecret:Failure"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
secretName	The credential name.	acs/ecs/secret_rotator
secretType	The credential type: Rds: RDS credential. Redis: Redis credential. RAMCredentials: RAM credential. ECS: ECS credential. PolarDB: PolarDB credential.	ECS
secretSubType	The credential subtype: If SecretType is Rds (RDS credential), the valid values for secretSubType are: RdsSingleUser: Single-account RDS credential. RdsDoubleUsers: Dual-account RDS credential. If SecretType is Redis (Redis credential), the valid values for secretSubType are: RedisDoubleUsers: Dual-account Redis credential. If SecretType is RAMCredentials (RAM credential), the valid values for secretSubType are: RamUserAccessKey: AccessKey of a RAM user. If SecretType is ECS (ECS credential), the valid values for secretSubType are: ECSLoginPassword: ECS logon password. ECSLoginSSHKey: ECS SSH public and private keys. If SecretType is PolarDB, the valid values for secretSubType are: PolarDBDoubleUsers: Dual-account PolarDB credential.	ECSLoginPassword
rotationEntityArn	The ARN of the resource for which rotation is performed.	acs:kms:cn-hangzhou:119285******60:key/0d603b4a-******71be
rotationStatus	The rotation status: Enabled: Automatic rotation is enabled. Disabled: Automatic rotation is disabled. Invalid: The rotation status is abnormal. Secrets Manager cannot automatically rotate the credential for you.	2025-08-22T09:39:50Z
failureInfo	The reason for the rotation failure. errorCode: The error code. errorMessage: The detailed error message.	`{ "errorCode": "RotateError", "errorMessage": "output , err stdout:[Module:DescribeECSInstances failed] " }`

Managed credential rotation succeeded

{
    "id": "21c9b9e0-********f3e678",
    "status": "normal",
    "instanceName": "acs/ram/user/secrettest",
    "resourceId": "acs:kms:cn-shanghai:119285********60:secret/acs/ram/user/secrettest",
    "content": {
        "eventId": "119285********60:acs/ram/user/secrettest:17******59",
        "secretName": "acs/ram/user/secrettest",
        "secretType": "RAMCredentials",
        "rotationEntityArn": "acs:kms:cn-shanghai:119285********60:secret/acs/ram/user/secrettest",
        "rotationStatus": "Enabled",
        "secretSubType": "RamUserAccessKey",
        "successTime": "2025-08-20T09:37:19Z",
        "message": ""
    },
    "product": "kms",
    "time": 1755855610000,
    "level": "INFO",
    "regionId": "cn-shanghai",
    "groupId": "0",
    "name": "Secret:RotateSecret:Success"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:acs/ram/user/secrettest:17****59
secretName	The credential name.	acs/ram/user/secrettest
secretType	The credential type: Rds: RDS credential. Redis: Redis credential. RAMCredentials: RAM credential. ECS: ECS credential. PolarDB: PolarDB credential.	RAMCredentials
secretSubType	The credential subtype: If SecretType is Rds (RDS credential), the valid values for secretSubType are: RdsSingleUser: Single-account RDS credential. RdsDoubleUsers: Dual-account RDS credential. If SecretType is Redis (Redis credential), the valid values for secretSubType are: RedisDoubleUsers: Dual-account Redis credential. If SecretType is RAMCredentials (RAM credential), the valid values for secretSubType are: RamUserAccessKey: AccessKey of a RAM user. If SecretType is ECS (ECS credential), the valid values for secretSubType are: ECSLoginPassword: ECS logon password. ECSLoginSSHKey: ECS SSH public and private keys. If SecretType is PolarDB, the valid values for secretSubType are: PolarDBDoubleUsers: Dual-account PolarDB credential.	RamUserAccessKey
rotationEntityArn	The ARN of the rotated object.	acs:kms:cn-shanghai:119285********60:secret/acs/ram/user/secrettest
rotationStatus	The rotation status: Enabled: Automatic rotation is enabled. Disabled: Automatic rotation is disabled. Invalid: The rotation status is abnormal. Secrets Manager cannot automatically rotate the credential for you.	Enabled
successTime	The time when the rotation succeeded.	2025-08-20T09:37:19Z

Key sync failed

{
    "product": "kms",
    "resourceId": "acs:kms:cn-hangzhou:119285********60:key/<resource-id>",
    "level": "CRITICAL",
    "instanceName": "instanceName",
    "regionId": "cn-hangzhou",
    "name": "Instance:KeySync:Failure",
    "content": {
        "eventId": "119285********60:8071aa27-********87",
        "syncTaskId": "8071aa27-********0fc87",
        "masterInstanceId": "kst-ph********z6",
        "shadowInstanceId": "kst-ps********qq",
        "syncStatus": "SyncFailure",
        "errorCode": "",
        "resourceId": "key-ph********4d",
        "resourceType": "KEY",
        "eventTime": "2024-03-22T07:41:17Z"
    },
    "status": "Normal"
}

Description of the content fields:

eventId	The event ID.	119285******60:8071aa27-******87
syncTaskId	The sync task ID.	8071aa27-********0fc87
masterInstanceId	The primary instance ID.	kst-ph********z6
shadowInstanceId	The replica instance ID. Note The key is synced from the primary instance to the replica instance.	kst-ps********qq
syncStatus	The sync status: SyncFailure (sync failed).	SyncFailure
errorCode	The error code.	""
resourceId	The resource ID.	key-ph********04d
resourceType	The resource type. Only KEY is supported.	KEY
eventTime	The sync time.	2024-03-22T07:41:17Z

Key sync succeeded

{
    "product": "kms",
    "resourceId": "acs:kms:cn-hangzhou:119285********60:key/<resource-id>",
    "level": "INFO",
    "instanceName": "instanceName",
    "regionId": "cn-hangzhou",
    "name": "Instance:KeySync:Success",
    "content": {
        "eventId": "119285********60:8071aa27-********0fc87",
        "syncTaskId": "8071aa27-********420fc87",
        "masterInstanceId": "kst-ph********z6",
        "shadowInstanceId": "kst-ps********qq",
        "syncStatus": "SyncSuccess",
        "errorCode": "",
        "resourceId": "key-ph********04d",
        "resourceType": "KEY",
        "eventTime": "2024-03-22T07:41:17Z"
    },
    "status": "Normal"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:8071aa27-******0fc87
syncTaskId	The sync task ID.	8071aa27-********420fc87
masterInstanceId	The primary instance ID.	kst-ph********z6
shadowInstanceId	The replica instance ID. Note The key is synced from the primary instance to the replica instance.	kst-ps********qq
syncStatus	The sync status: SyncSuccess (sync succeeded).	SyncSuccess
errorCode	The error code.	""
resourceId	The resource ID.	key-ph********04d
resourceType	The resource type. Only KEY is supported.	KEY
eventTime	The sync time.	2024-03-22T07:41:17Z

ClientKey expiration reminder

{
    "product": "kms",
    "resourceId": "<aap_arn>",
    "level": "CRITICAL",
    "instanceName": "instanceName",
    "regionId": "cn-hangzhou",
    "name": "Instance:ClientKey:ExpireReminder",
    "content": {
        "clientKeyName": "clientKeyName",
        "eventId": "eventId",
        "dateOfExpiration": "2024-09-30T18:23:46Z",
        "daysToExpire": "180",
        "affectedKmsInstanceId": "kst-exxxx"
    },
    "status": "Normal"
}

Description of the content fields:

Field	Description	Example
eventId	The event ID.	119285******60:0d603b4a-****71:175***07
clientKeyName	The application access point (AAP) name.	kms-client.
dateOfExpiration	The expiration time.	2024-09-30T18:23:46Z
daysToExpire	The remaining validity period of the ClientKey in days.	180
affectedKmsInstanceId	The scope (KMS instance ID).	kst-hzz********bxt

Supported CloudMonitor metrics

Metric	Description	Alerting supported	Dimensions	Statistics
Requests per minute for an instance	Number of requests per minute.	Yes	userId, regionId, instanceId	Value
Symmetric encryption/decryption requests per minute	Number of symmetric operation requests per minute.	Yes	userId, regionId, instanceId	Value
Asymmetric encryption requests per minute	Number of asymmetric encryption requests per minute.	Yes	userId, regionId, instanceId	Value
Asymmetric decryption requests per minute	Number of asymmetric decryption requests per minute.	Yes	userId, regionId, instanceId	Value
Asymmetric signing requests per minute	Number of asymmetric signing requests per minute.	Yes	userId, regionId, instanceId	Value
Asymmetric signature verification requests per minute	Number of asymmetric signature verification requests per minute.	Yes	userId, regionId, instanceId	Value
Credential operation requests per minute	Number of credential requests per minute.	Yes	userId, regionId, instanceId	Value
Other requests per minute	Number of other operation requests per minute.	Yes	userId, regionId, instanceId	Value
5xx error requests	Number of requests with 5xx error codes per minute.	Yes	userId, regionId, instanceId	Value
4xx error requests	Number of requests with 4xx error codes per minute.	Yes	userId, regionId, instanceId	Value
Request latency	Average latency of all requests per minute.	Yes	userId, regionId, instanceId	Value
KMS instance CPU utilization	CPU utilization of the instance.	Yes	user_id,instance_id	Value
KMS instance symmetric QPS utilization	Symmetric QPS utilization of the instance.	Yes	user_id,instance_id	Value
KMS instance asymmetric QPS utilization	Asymmetric QPS utilization of the instance.	Yes	user_id,instance_id	Value

View system events

You can view system events from the last 90 days.

Method 1: View in the Key Management Service console
1. Log on to the KMS console. In the top navigation bar, select a region. In the navigation pane on the left, choose Security Operations > Alert Events.
2. On the CloudMonitor Alerts tab, select the system event and the time range that you want to query.
3. In the Actions column, click Details to view the event details.
Method 2: View in the CloudMonitor console
1. Log on to the Cloud Monitor console.
2. In the navigation pane on the left, choose Event Center > System Event.
3. On the Event Monitoring tab, set Product to Key Management Service. Then, select the event level, event name, and time period, and then click Search.
4. In the event list, find the target event and click Details in the Actions column.

Set alert notifications for system events

You can set alert rules for system events to receive prompt notifications when exceptions occur. This helps you quickly analyze and locate issues. You can set these rules only in the CloudMonitor console.

Log on to the Cloud Monitor console.
In the left-side navigation pane, choose Event Center > System Event.
On the Event Monitoring tab, click Save As Alert Rule.
Note
To perform custom processing on alert notifications, such as merging and noise reduction, you can configure the notifications on the Event Subscription page. For more information, see Manage event subscriptions (recommended).
In the Create/Modify Event-triggered Alert Rule panel, configure the alert settings.
Note
For more information about the configuration items, see Create an alert rule for a system event.

Reference

For more information about how to configure KMS CloudMonitor alerts and view CloudMonitor statistics, see Overview.