Help Docs

AWS Key Management Service (KMS) Monitoring Integration

AWS Key Management Service (KMS) is managed service that enables you to create and manage the encryption keys used to encrypt data. With Site24x7's integration you can track and alert on key material expiration for CMKs whose origin is external.

Setup and configuration

  • If you haven't done it already enable programmatic access to your AWS resources either by creating IAM user for Site24x7 or create a cross-account IAM Role between your AWS account and Site24x7's AWS account. Learn more.
  • In the integrate AWS Account page, make sure you select the check box next to the KMS service. Learn more.

Policy and Permission

Site24x7 uses various KMS service APIs to collect information about the customer master keys. Assign the AWS Managed policy ReadOnlyAccess to the Site24x7 entity (IAM user or IAM Role) to help Site24x7 collect metrics and metadata. If you want to assign a custom policy, please make sure the following read-level actions are present in the policy JSON. Learn more.

  • "kms:DescribeCustomKeyStores",
  • "kms:DescribeKey",
  • "kms:GetKeyRotationStatus",
  • "kms:ListAliases",
  • "kms:ListResourceTags",
  • "kms:ListKeys",
  • "kms:GetKeyPolicy",
  • "kms:ListGrants",
  • "kms:ListKeyPolicies"

Polling frequency

Site24x7 collects metric data for your customer managed CMKs as per the poll frequency set (1 minute to a day). Learn more.

Licensing

Each customer managed CMK is considered a basic monitor. Learn more.

Supported metrics

The following metrics are collected:

AttributeDescription
Minutes until key material expiration Measures the number of minutes remaining until imported key material expires (applicable for CMKs whose origin is external).
Hours remaining until key material expiration Measures the number of hours remaining until imported key material expires (applicable for CMKs whose origin is external)
Days remaining until key material expiration Measures the number of days remaining until imported key material expires (applicable for CMKs whose origin is external).
Minutes until Customer Master Key (CMK) deletion. Measures the number of minutes remaining until a CMK is deleted (applicable for CMKs scheduled for deletion).
Hours until Customer Master Key (CMK) deletion. Measures the number of hours remaining until a CMK is deleted (applicable for CMKs scheduled for deletion).
Days until Customer Master Key (CMK) deletion. Measures the number of hours remaining until a CMK is deleted. (applicable for CMKs scheduled for deletion)
Key age Measures the number of days since the customer managed CMK was created (The value is calculated using the creation date metadata).

AWS KMS Monitoring UI pages

Summary

The Summary tab displays time series charts for KMS metrics and other metadata like key age.

Key Policy

Key policies determines who can use and manage that CMK. The key policy JSON attached to the specified customer master key (CMK) is displayed in the tab.

Grants

Grants allow users to programmatically delegate the use of CMKs to AWS principals. A list of all grants for the specified customer master key is shown in the tab.

Configuration

Lists the following information about the specified CMK.

AttributeDescription
Key ID Unique identifier for the CMK
Alias Display name for the CMK
Region Region associated with the CMK
Creation date The data and time when the key was created.
Key status The state of the CMK.
Key usage The cryptographic operations for which you can use the CMK.
Origin The source of the CMK's key material.
Description The description of the CMK
Deletion scheduled date The date and time after which KMS deletes the CMK.
Key material expiration date The date and time after which the key material expires.
Is key rotation enabled Indicates whether automatic rotation for the key material is enabled.
HSM cluster ID The ID of the AWS CloudHSM cluster that contains the key material.
Custom key store name The unique name for the customer key store that contains the CMK
Key store connection status Indicates whether the custom key store is connected to its AWS CloudHSM cluster.

Was this document helpful?

Would you like to help us improve our documents? Tell us what you think we could do better.


We're sorry to hear that you're not satisfied with the document. We'd love to learn what we could do to improve the experience.


Thanks for taking the time to share your feedback. We'll use your feedback to improve our online help resources.

Shortlink has been copied!