All Products
Search
Document Center

Key Management Service:Use Simple Log Service for KMS

Last Updated:Mar 31, 2026

Key Management Service (KMS) integrates with Simple Log Service to record all API operations on your KMS instance as audit logs.

Prerequisites

Before you begin, ensure that you have:

Usage notes

  • Logs are stored on a 180-day rolling window. On day 181, the oldest day's logs are overwritten.

Important

If log storage capacity is exhausted before the 180-day window expires, new logs cannot be written. Increase your log storage capacity before this happens.

  • If the following message appears in the KMS console, submit a ticket and contact technical support to upgrade your KMS instance.image.png

Enable Simple Log Service for KMS

You can enable Simple Log Service for KMS when purchasing a KMS instance, or at any time after purchase.

To enable it on an existing KMS instance:

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Security Operations > Simple Log Service for KMS.

  2. Select an instance ID and click Buy Now.

  3. Set Log Analysis to Enable and specify a value for Log Storage Capacity.

  4. Read and select Terms of Service, click Buy Now, and complete the payment.

After enabling the feature, the following resources are created automatically:

ResourceDetails
Service-linked roleRAM creates the AliyunServiceRoleForSLSSecurityLens role, which authorizes Simple Log Service to access KMS resources.
SLS projectSimple Log Service creates a project named kms-log-{KMS instance ID}Simple Log Service console. View it on the Simple Log Service console homepage. For details, see Project.
LogstoreSimple Log Service creates a Logstore named kms_audit_log in the project to store your KMS audit logs. For details, see Logstore.

Query and analyze logs

Query and analysis operations do not incur additional fees.

  1. On the Simple Log Service for KMS page, select an instance ID.

  2. (Optional) Filter logs by one or more of the following fields, then click Search:

    FieldDescription
    Key IDThe ID of the KMS key involved in the operation
    Secret IDThe ID of the secret involved in the operation
    HTTP status codeThe HTTP response code returned for the request
    Request IDThe unique identifier of the API request
  3. Set a query time range.

    Note

    Logs older than 180 days are deleted and cannot be queried. Query results may include logs generated up to 1 minute before or after your specified time range.

  4. Enter a query statement in the search box and click Search & Analyze. For syntax and examples, see Log search overview and Overview of log query and analysis.

To monitor your KMS instance in real time, configure alert rules based on dashboard charts. See Configure an alert monitoring rule in Simple Log Service.

Increase log storage capacity

Log storage capacity can only be increased, not reduced.

  1. Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.

  2. Find your KMS instance and click Upgrade in the Actions column.

  3. On the KMS (International) | Upgrade/Downgrade page, set Log Storage Capacity and click Buy Now.

  4. Read and select Terms of Service, then click Subscribe and complete the payment.

FAQ

How do I renew Simple Log Service for KMS?

Simple Log Service for KMS cannot be renewed separately — it renews together with your KMS instance. For renewal instructions, see Billing.