Schedule demo
Home

AWS Key Management Service Monitoring

AWS Key Management Service - Overview

Amazon Key Management Service (AWS KMS) is a fully managed encryption service that allows users to create, manage, and control cryptographic keys to secure data across AWS services and applications. Integrated with various AWS services, KMS provides centralized key management, fine-grained access control, automatic key rotation, and audit logging through AWS CloudTrail. It ensures compliance with major security standards, making it a reliable solution for encrypting sensitive data in the cloud.

Creating a new AWS Key Management Service monitor

To learn how to create a new AWS Key Management Service monitor, refer here.

Monitored Parameters

Go to the Monitors Category View by clicking the Monitors tab. Click on the Key Management Service instance available under Amazon in the Cloud Apps section. Displayed below is the Amazon Key Management Service bulk configuration view distributed into three tabs:

  • Availability tab gives the availability history for the past 24 hours or 30 days.
  • Performance tab gives the health status and events for the past 24 hours or 30 days.
  • List view tab enables you to perform bulk admin configurations.

By clicking a monitor from the list, you'll be taken to the AWS Key Management Service dashboard which includes the following tabs:

Performance Overview

ParameterDescription
SERVER INFORMATION
Key StateThe current status of the KMS key.
Possible values: Creating, Enabled, Disabled, PendingDeletion, PendingImport, PendingReplicaDeletion, Unavailable, Updating.
Key RotationSpecifies whether the KMS key rotation is enabled for monitoring.
Possible values: Enabled, Disabled
KEY AGE
Key AgeThe number of days since the key was created (in days).
DAYS TO NEXT ROTATION
Days to Next RotationThe number of days remaining until AWS KMS automatically rotates the key material (in days).
DAYS UNTIL KEY MATERIAL EXPIRATION
Days Until Key Material ExpirationThe number of days remaining until the imported key material in a KMS key expires at the time of polling (in days).
XKS PROXY CREDENTIAL AGE
XKS Proxy Credential AgeThe number of days since the current external key store proxy authentication credential (XksProxyAuthenticationCredential) was associated with the external key store at the time of polling (in days).
PENDING DELETION WINDOW
Pending Deletion WindowThe waiting period before the primary key in a multi-Region key is deleted. This waiting period begins when the last of its replica keys is deleted (in days).

Grants

ParameterDescription
Grant Details
Grant IDThe unique identifier for the grant.
Grant NameThe user-readable name that identifies the grant.
Creation DateThe date and time when the grant was created.
Grantee PrincipalThe AWS principal receiving permissions (IAM user, role, or AWS service) to which the grant is issued.
Retiring PrincipalThe AWS principal that can retire the grant.
OperationsThe list of operations permitted by the grant.

Note: Only the first 50 grants per KMS key will be shown.

Configuration

ParameterDescription
CONFIGURATION
Key IDThe globally unique identifier for the KMS key.
Creation DateThe date and time when the KMS key was created.
DescriptionThe description of the KMS key.
Key UsageThe cryptographic operations for which you can use the KMS key.
Possible values: SIGN_VERIFY, ENCRYPT_DECRYPT, GENERATE_VERIFY_MAC, KEY_AGREEMENT.
Key SpecDefines the type of key material in the KMS key.
Possible values: RSA_2048, RSA_3072, RSA_4096, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, ECC_SECG_P256K1, SYMMETRIC_DEFAULT, HMAC_224, HMAC_256, HMAC_384, HMAC_512, SM2.
Key ManagerThe manager of the KMS key.
Possible values: AWS, CUSTOMER.
RegionalityIndicates whether the KMS key is a multi-region or regional key.
Possible values: Single Region, Multi Region.
OriginThe source of the key material for the KMS key.
Possible values: AWS_KMS, EXTERNAL, AWS_CLOUDHSM, EXTERNAL_KEY_STORE.
Expiration ModelSpecifies whether the KMS key's key material expires.
Possible Values: KEY_MATERIAL_EXPIRES, KEY_MATERIAL_DOES_NOT_EXPIRE
Key Material Expiration DateThe date and time at which the imported key material expires.
Scheduled Deletion DateThe date and time at which AWS KMS will delete this key.
CUSTOM KEY STORE DETAILS
Custom Key Store IDA unique identifier for the custom key store that contains the KMS key.
Custom Key Store NameThe user-specified name for the custom key store.
Cloud HSM Cluster IDThe cluster ID of the AWS CloudHSM cluster that contains the key material for the KMS key.
Connection StateIndicates whether the custom key store is connected to its backing key store.
Possible Values: CONNECTED, CONNECTING, FAILED, DISCONNECTED, DISCONNECTING
Creation DateThe date and time when the custom key store was created.
 
Note:
  • Up to 500 keys are monitored per region.
  • Aliases serve as display names for resources; if no alias is assigned, the Key ID will be displayed instead.

Loved by customers all over the world

"Standout Tool With Extensive Monitoring Capabilities"

It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.

Reviewer Role: Research and Development

carlos-rivero
"I like Applications Manager because it helps us to detect issues present in our servers and SQL databases."
Carlos Rivero

Tech Support Manager, Lexmark

Trusted by over 6000+ businesses globally