AWS Key Management Service (KMS) Monitoring Integration
AWS Key Management Service (KMS) is managed service that enables you to create and manage the encryption keys used to encrypt data. With Site24x7's integration you can track and alert on key material expiration for CMKs whose origin is external.
Setup and configuration
- If you haven't done it already enable programmatic access to your AWS resources either by creating IAM user for Site24x7 or create a cross-account IAM Role between your AWS account and Site24x7's AWS account. Learn more.
- In the integrate AWS Account page, make sure you select the check box next to the KMS service. Learn more.
Policy and Permission
Site24x7 uses various KMS service APIs to collect information about the customer master keys. Assign the AWS Managed policy ReadOnlyAccess to the Site24x7 entity (IAM user or IAM Role) to help Site24x7 collect metrics and metadata. If you want to assign a custom policy, please make sure the following read-level actions are present in the policy JSON. Learn more.
- "kms:DescribeCustomKeyStores",
- "kms:DescribeKey",
- "kms:GetKeyRotationStatus",
- "kms:ListAliases",
- "kms:ListResourceTags",
- "kms:ListKeys",
- "kms:GetKeyPolicy",
- "kms:ListGrants",
- "kms:ListKeyPolicies"
Polling frequency
Site24x7 collects metric data for your customer managed CMKs as per the poll frequency set (1 minute to a day). Learn more.
Licensing
Each customer managed CMK is considered a basic monitor. Learn more.
Supported metrics
The following metrics are collected:
Attribute | Description |
---|---|
Minutes until key material expiration | Measures the number of minutes remaining until imported key material expires (applicable for CMKs whose origin is external). |
Hours remaining until key material expiration | Measures the number of hours remaining until imported key material expires (applicable for CMKs whose origin is external) |
Days remaining until key material expiration | Measures the number of days remaining until imported key material expires (applicable for CMKs whose origin is external). |
Minutes until Customer Master Key (CMK) deletion. | Measures the number of minutes remaining until a CMK is deleted (applicable for CMKs scheduled for deletion). |
Hours until Customer Master Key (CMK) deletion. | Measures the number of hours remaining until a CMK is deleted (applicable for CMKs scheduled for deletion). |
Days until Customer Master Key (CMK) deletion. | Measures the number of hours remaining until a CMK is deleted. (applicable for CMKs scheduled for deletion) |
Key age | Measures the number of days since the customer managed CMK was created (The value is calculated using the creation date metadata). |
AWS KMS Monitoring UI pages
Summary
The Summary tab displays time series charts for KMS metrics and other metadata like key age.
Key Policy
Key policies determines who can use and manage that CMK. The key policy JSON attached to the specified customer master key (CMK) is displayed in the tab.
Grants
Grants allow users to programmatically delegate the use of CMKs to AWS principals. A list of all grants for the specified customer master key is shown in the tab.
Configuration
Lists the following information about the specified CMK.
Attribute | Description |
---|---|
Key ID | Unique identifier for the CMK |
Alias | Display name for the CMK |
Region | Region associated with the CMK |
Creation date | The data and time when the key was created. |
Key status | The state of the CMK. |
Key usage | The cryptographic operations for which you can use the CMK. |
Origin | The source of the CMK's key material. |
Description | The description of the CMK |
Deletion scheduled date | The date and time after which KMS deletes the CMK. |
Key material expiration date | The date and time after which the key material expires. |
Is key rotation enabled | Indicates whether automatic rotation for the key material is enabled. |
HSM cluster ID | The ID of the AWS CloudHSM cluster that contains the key material. |
Custom key store name | The unique name for the customer key store that contains the CMK |
Key store connection status | Indicates whether the custom key store is connected to its AWS CloudHSM cluster. |