Simple Log Service for KMS lets you query and analyze the audit log of all cryptographic operations processed by your Key Management Service (KMS) instances—with logs retained for up to 180 days to support compliance requirements.
The Simple Log Service for KMS feature allows you to query and analyze the logs of KMS instances in the KMS console. The feature also allows you to store logs for up to 180 days, which helps your application meet compliance requirements. For more information about Simple Log Service, see Simple Log Service
How it works
When you enable Simple Log Service for KMS on a KMS instance, KMS streams request logs to a dedicated Simple Log Service project. From the KMS console, you can query and analyze those logs directly.
The feature captures request-level operations only—cryptographic calls such as Encrypt, Decrypt, Sign, and GetSecretValue. It does not capture management-plane operations such as creating or deleting KMS resources. To audit management operations, use ActionTrail. For the full list of events ActionTrail tracks, see Audit events of KMS. For instructions on querying those events, see Use ActionTrail to query KMS events.
Logged operations
KMS logs operations differently depending on which endpoint type your caller uses. Use the api_name and share_gateway_api_name fields to identify the business scenario behind each request. For endpoint details, see Endpoints.
KMS endpoints
When your application calls KMS through a shared KMS endpoint, both share_gateway_api_name and api_name are populated.
share_gateway_api_name | api_name | Operation | Business scenario |
|---|---|---|---|
| GetSecretValue | Decrypt | Retrieves secrets | Self-managed applications retrieving secrets |
| GenerateDataKey | GenerateDataKey | Generates a data key | Cloud service integration with KMS; secret creation or storage for self-managed applications |
| GenerateDataKeyWithoutPlaintext | GenerateDataKey | Generates a data key (ciphertext only) | Cloud service integration with KMS |
| Encrypt | Encrypt | Encrypts data using a symmetric key | Cloud service integration with KMS |
| Decrypt | Decrypt | Decrypts data using a symmetric key | Cloud service integration with KMS |
| AsymmetricEncrypt | Encrypt | Encrypts data using an asymmetric key | Cloud service integration with KMS |
| AsymmetricDecrypt | Decrypt | Decrypts data using an asymmetric key | Cloud service integration with KMS |
| AsymmetricSign | Sign | Signs data using an asymmetric key | Cloud service integration with KMS |
| AsymmetricVerify | Verify | Verifies a signature using an asymmetric key | Cloud service integration with KMS |
KMS instance endpoints
When your application connects directly to a KMS instance endpoint, share_gateway_api_name is empty. Only api_name is logged.
api_name | Operation |
|---|---|
| GetSecretValue | Retrieves secrets |
| AdvanceEncrypt | Encrypts plaintext into ciphertext using a symmetric key (software key management type only) |
| AdvanceDecrypt | Decrypts ciphertext into plaintext using a symmetric key (software key management type only) |
| AdvanceGenerateDataKey | Generates a data key using a symmetric key (software key management type only) |
| GenerateDataKeyPair | Generates an asymmetric data key pair and returns the private key plaintext |
| GenerateDataKeyPairWithoutPlaintext | Generates an asymmetric data key pair without returning the private key plaintext |
| GenerateDataKey | Generates a data key |
| Encrypt | Encrypts plaintext into ciphertext |
| Decrypt | Decrypts ciphertext into plaintext |
| Sign | Signs data using an asymmetric key |
| Verify | Verifies a signature using an asymmetric key |
| GetPublicKey | Retrieves the public key of an asymmetric key |
Log storage assets
Enabling the feature automatically creates the following resources in Simple Log Service for each KMS instance:
| Resource | Naming format |
|---|---|
| Project | kms-log-<KMS instance ID> |
| Logstore | kms_audit_log |
The project is created in the same region as your KMS instance. To view it, log in to the Simple Log Service console.
Do not delete the project or Logstore associated with a KMS instance. Deleting either resource stops KMS from sending logs to Simple Log Service.
Billing
Simple Log Service for KMS is purchased through KMS and billed by log storage capacity.USD 80 per month
| Billing dimension | Detail |
|---|---|
| Billing method | Subscription only |
| Minimum capacity | 1,000 GB |
| Capacity increment | 1,000 GB |
| Price | USD 80 per month per 1,000 GB |
Your KMS bill covers storage fees and query and analysis fees. If you use additional Simple Log Service features—such as data transformation, log shipping, or indexing—Simple Log Service charges those separately based on actual usage. For Simple Log Service pricing details, see Billable items of pay-by-feature.
Subscription duration is tied to your KMS instance:
If you enable the feature when purchasing a KMS instance, the subscription duration matches the KMS instance term.
If you enable the feature by upgrading an existing KMS instance, the subscription covers the remaining term of that instance, calculated to the minute.
Estimate your storage capacity
Each request log entry is approximately 1 KB. Use the following formula to estimate the capacity you need:
Daily storage (KB) = QPS × 60 × 60 × 24 × 1 KB per log entry
180-day total (GB) = Daily storage (KB) ÷ 1,048,576 × 180Example at 100 QPS (queries per second):
Daily log volume: 100 × 60 × 60 × 24 × 1 = 8,640,000 KB ≈ 8.2 GB/day
180-day total: 8.2 × 180 ≈ 1,476 GB
For this workload, set your log storage capacity to 2,000 GB (the next 1,000 GB increment above 1,476 GB).
Limitations
Review the following constraints before enabling the feature—several are irreversible.
Irreversible activation: Once enabled, Simple Log Service for KMS cannot be disabled.
Fixed log retention: Logs are stored for 180 days. This retention period cannot be changed.
No capacity downgrade: After you expand log storage capacity, you cannot reduce it.
Capacity ceiling: If log storage capacity is exhausted, new logs are dropped. Expand capacity before it runs out.
Console usage display lag: The log storage usage shown in the KMS console is not updated in real time and excludes the last 2 hours of actual usage.
Instance dependency: Log collection is suspended if your KMS instance stops running. If the instance expires and is not renewed, KMS releases the instance and deletes the associated Simple Log Service project 16 days after expiration.