If a dedicated Key Management Service (KMS) instance of the Standard edition is in the Enabled state, you can perform the following operations based on your business requirements: query the instance, disconnect it from or reconnect it to a dedicated hardware security module (HSM) cluster, and enable the security audit feature.

Query a dedicated KMS instance of the Standard edition

You can query the ID of a dedicated KMS instance of the Standard edition, the virtual private cloud (VPC) address to access the instance, the ID of the VPC, and the dedicated HSM cluster of the instance based on your business requirements.

The VPC address is the endpoint of the dedicated KMS instance of the Standard edition. The endpoint is in the https://{ID of the instance}.cryptoservice.kms.aliyuncs.com format.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
    Dedicated KMS of the Standard edition is available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the instance that you want to query and click Details in the Actions column.

Disconnect a dedicated KMS instance of the Standard edition from a dedicated HSM cluster

If you want to disassociate a dedicated KMS instance of the Standard edition from a dedicated HSM cluster, you must disconnect the instance from the dedicated HSM cluster.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
    Dedicated KMS of the Standard edition is available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the dedicated KMS instance that you want to disconnect and click Details in the Actions column.
  5. Click Disconnect to the right of Dedicated HSM Cluster.
  6. In the Disconnect dialog box, click Disconnect.
    If the status of the instance changes to Disabled, the dedicated KMS instance of the Standard edition is disconnected from the dedicated HSM cluster.

Reconnect a dedicated KMS instance of the Standard edition to a dedicated HSM cluster

If a dedicated KMS instance of the Standard edition is configured and connected to a dedicated HSM cluster, you can reconnect the instance to the dedicated HSM cluster after you manually disconnect the instance. To reconnect the instance to the dedicated HSM cluster, you need to only configure the access credential and click Connect to HSM.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
    Dedicated KMS of the Standard edition is available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the dedicated KMS instance that you want to reconnect to the dedicated HSM cluster and click Enable in the Actions column.
  5. In the Connect to HSM dialog box, configure the Configure Access Credential parameter and click Connect to HSM.
    Wait a few minutes. If the status of the instance changes from Creating to Enabled, the instance is reconnected to the dedicated HSM cluster.

Enable the security audit feature

When you use a dedicated KMS instance of the Standard edition, audit logs are generated. The audit logs record the access information about the instance, including the request information, user information, accessed resource information, and access results. Sample log:
2021-10-19T212021-10-19T21:40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -40:01     [INFO]  - - 3dd60a7a-4587-4c57-8197-d749c3578974 CreateKey - TMP.3KfAHseF5DVULM2s8YUhdB8YvwM4nZA1wXr8AcAAhR7YhdyosXG2eSpsRFPMjYbvUArPRtsCWKzxEo88bC5w5LBfyp**** 111760096384**** 111760096384**** - kst-phzz6108e50c15333w**** - 37 - -

After you enable the security audit feature, Dedicated KMS delivers audit logs to the Object Storage Service (OSS) bucket that you specify on an hourly basis to meet regulatory requirements and business requirements. Before you enable the security audit feature, make sure that an OSS bucket is available. For more information, see Create buckets.

Note After the security audit feature is enabled, audit logs are generated and delivered within 1 hour.
  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance of the Standard edition resides.
    Dedicated KMS of the Standard edition is available in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Hong Kong), Malaysia (Kuala Lumpur), and Singapore (Singapore).
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Find the dedicated KMS instance for which you want to enable the security audit feature and click Details in the Actions column.
  5. In the Details panel, turn on Security Audit.
  6. In the Configure Security Audit dialog box, select the bucket where you want to store audit logs from the Destination Bucket drop-down list.
  7. Click OK.
    After you enable the security audit feature, the status of the feature changes from Disabled to Enabled. You can also modify security audit configurations or disable the security audit feature based on your business requirements.