Key Management Service (KMS) integrates with Simple Log Service to record all API operations on your KMS instance as audit logs.
Prerequisites
Before you begin, ensure that you have:
A KMS instance. To purchase one, see Purchase and enable a KMS instance
Usage notes
Logs are stored on a 180-day rolling window. On day 181, the oldest day's logs are overwritten.
If log storage capacity is exhausted before the 180-day window expires, new logs cannot be written. Increase your log storage capacity before this happens.
If the following message appears in the KMS console, submit a ticket and contact technical support to upgrade your KMS instance.

Enable Simple Log Service for KMS
You can enable Simple Log Service for KMS when purchasing a KMS instance, or at any time after purchase.
To enable it on an existing KMS instance:
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Security Operations > Simple Log Service for KMS.
Select an instance ID and click Buy Now.
Set Log Analysis to Enable and specify a value for Log Storage Capacity.
Read and select Terms of Service, click Buy Now, and complete the payment.
After enabling the feature, the following resources are created automatically:
| Resource | Details |
|---|---|
| Service-linked role | RAM creates the AliyunServiceRoleForSLSSecurityLens role, which authorizes Simple Log Service to access KMS resources. |
| SLS project | Simple Log Service creates a project named kms-log-{KMS instance ID}Simple Log Service console. View it on the Simple Log Service console homepage. For details, see Project. |
| Logstore | Simple Log Service creates a Logstore named kms_audit_log in the project to store your KMS audit logs. For details, see Logstore. |
Query and analyze logs
Query and analysis operations do not incur additional fees.
On the Simple Log Service for KMS page, select an instance ID.
(Optional) Filter logs by one or more of the following fields, then click Search:
Field Description Key ID The ID of the KMS key involved in the operation Secret ID The ID of the secret involved in the operation HTTP status code The HTTP response code returned for the request Request ID The unique identifier of the API request Set a query time range.
NoteLogs older than 180 days are deleted and cannot be queried. Query results may include logs generated up to 1 minute before or after your specified time range.
Enter a query statement in the search box and click Search & Analyze. For syntax and examples, see Log search overview and Overview of log query and analysis.
To monitor your KMS instance in real time, configure alert rules based on dashboard charts. See Configure an alert monitoring rule in Simple Log Service.
Increase log storage capacity
Log storage capacity can only be increased, not reduced.
Log on to the KMS console. In the top navigation bar, select a region. In the left-side navigation pane, choose Resource > Instances.
Find your KMS instance and click Upgrade in the Actions column.
On the KMS (International) | Upgrade/Downgrade page, set Log Storage Capacity and click Buy Now.
Read and select Terms of Service, then click Subscribe and complete the payment.
FAQ
How do I renew Simple Log Service for KMS?
Simple Log Service for KMS cannot be renewed separately — it renews together with your KMS instance. For renewal instructions, see Billing.