The Overview page is a real-time dashboard for your Key Management Service (KMS) instances, showing instance types, operational status, and performance metrics. Use it to spot performance bottlenecks, catch error spikes, and trigger alerts before issues affect your workloads.
KMS integrates with CloudMonitor to display metric trend graphs on the Overview page. Common issues you can detect include:
Request volume approaching the instance's performance limit — time to upgrade
4xx errors caused by invalid requests or missing resources
5xx errors indicating temporary service unavailability
If the page shows "The current instance version is too low. To view all metrics, submit a ticket to confirm the upgrade time", upgrade the image version of your KMS instance.
For more information about CloudMonitor, see What is CloudMonitor?.
Prerequisites
Before you begin, ensure that you have:
A KMS instance
(For RAM users) The AliyunCloudMonitorReadOnlyAccess permission for CloudMonitor, granted in the RAM console. For more information about Resource Access Management (RAM), see Grant permissions to a RAM user
View KMS instance metrics
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, click Overview.
Select an Instance ID to view the overview and monitoring data for that instance.
NoteMetrics are available for the last 30 days.
(Optional) Turn on Auto Refresh. KMS refreshes the monitoring data every minute.
Supported CloudMonitor metrics
All 14 metrics support alerting. The dimensions are userId, regionId, and instanceId (or user_id and instance_id for utilization metrics), with statistics type Value.
| Metric | Description | When to act |
|---|---|---|
| Requests per minute for an instance | Total requests per minute | Alert when approaching 90% of your instance's QPS limit — indicates time to upgrade |
| Symmetric encryption/decryption requests per minute | Symmetric operation requests per minute | Monitor for sudden spikes that may indicate unexpected load |
| Asymmetric encryption requests per minute | Asymmetric encryption requests per minute | Monitor alongside asymmetric decryption to identify workload imbalances |
| Asymmetric decryption requests per minute | Asymmetric decryption requests per minute | Monitor alongside asymmetric encryption to identify workload imbalances |
| Asymmetric signing requests per minute | Asymmetric signing requests per minute | Alert on unexpected spikes that may indicate misuse or runaway processes |
| Asymmetric signature verification requests per minute | Asymmetric signature verification requests per minute | Alert on unexpected spikes that may indicate misuse or runaway processes |
| Credential operation requests per minute | Credential requests per minute | Monitor for abnormal access patterns to credentials |
| Other requests per minute | Other operation requests per minute | Use as a catch-all to detect unexpected request types |
| 5xx error requests | Requests with 5xx error codes per minute | Alert immediately — indicates service unavailability; retry or contact support |
| 4xx error requests | Requests with 4xx error codes per minute | Alert immediately — indicates invalid requests or missing resources; review error messages |
| Request latency | Average latency of all requests per minute | Alert when latency exceeds your application's tolerance — may indicate instance overload |
| KMS instance CPU utilization | CPU utilization of the instance | Alert at high utilization — may precede QPS degradation |
| KMS instance symmetric QPS utilization | Symmetric QPS utilization of the instance | Alert when approaching the symmetric key capacity limit |
| KMS instance asymmetric QPS utilization | Asymmetric QPS utilization of the instance | Alert when approaching the asymmetric key capacity limit |
Configure alert rules
Recommended alerts to start with
Set up these alert rules to cover the most common KMS issues:
| What to monitor | Recommended threshold | Why |
|---|---|---|
| Requests per minute for an instance | ≥ 90% of instance QPS × 60, for 3 consecutive statistical periods | Indicates the instance is near its performance limit — upgrade before requests fail |
| 4xx error requests | Occurs for 3 consecutive statistical periods | Signals invalid requests or missing resources that need investigation |
| 5xx error requests | Occurs for 3 consecutive statistical periods | Indicates intermittent service unavailability — retry or contact Alibaba Cloud support |
For instance performance limits, see Performance data.
Create an alert rule
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, click Overview.
On the Overview page, click Configure Alert Rules to go to the CloudMonitor console.
On the Alert Rules page, click Create Alert Rule and complete the configuration. For more information, see Create an alert rule.
Set Product to Key Management Service when creating the rule.
Example: Alert when QPS reaches 90% of instance capacity
This example configures an alert rule that triggers when request volume reaches 90% of a KMS instance's QPS capacity — the recommended threshold for deciding when to upgrade.
Scenario: A KMS instance with a QPS of 2,000. The alert threshold is 108,000 requests per minute (2,000 × 60 × 90%).
Log on to the KMS console. In the top navigation bar, select a region. In the left navigation pane, click Overview.
On the Overview page, click Configure Alert Rules to go to the CloudMonitor console.
On the Alert Rules page, click Create Alert Rule. Configure the rule using the following parameters, then click Confirm.
Parameter Value Product Key Management Service Resource Range Instances Associated Resources Click Add Instance, select the KMS instance to monitor, then click OK Rule Description Click Add Rule and select Simple Metric. In the Configure Rule Description panel, set: Alert Rule to a custom name; Metric Type to Simple Metric; Metric to Instance Dimensions / Requests per Minute with condition Warn, threshold >= 108,000, for3consecutive statistical periodsMute Period Default: 24 hours. During the mute period, CloudMonitor suppresses repeated notifications even if the threshold remains exceeded. After the mute period ends, CloudMonitor sends another notification if the metric has not recovered Effective Period, Tag, Alert Contact Group Fill in as needed Advanced Settings Keep defaults for Alert Callback, Push Channel, Recovery Notification, and Method to handle alerts when no monitoring data is found
What's next
Alert events — configure system event alerts for KMS using CloudMonitor