Is there a way to track or log what AWS KMS is using which key for which purposes.
I noticed that in some accounts that we do not use KMS, there are still KMS activities in the billing. In fact, there are activities in every region.
While these activities are in the free tier, it would be transparent to know what are these activities. Especially so since "keys" are involved.
You can log all KMS activites with CloudTrail.
Logging AWS KMS API Calls Using AWS CloudTrail
Related
I have a multi-region trail defined with Terraform that I'm trying to encrypt with KMS. My trail covers four AWS regions: us-east-1, us-west-2, eu-west-2, and eu-central-1 and I'm creating a KMS key for encrypting the log files and adding the appropriate permissions per the AWS docs. However, it's not clear whether or not this needs to be a multi-region key. If the KMS key I use needs to be multi-region, do I need to make a replica key for each additional region that my trail covers?
The docs say CloudTrail supports KMS multi-region keys, but the appropriate situation(s) to use MRKs w/ CloudTrail isn't straightforward. If I could get that far, then I do know that related MRKs do not share key policies and that I would need to define a specific policy for each should I need them.
It is not mandatory to use multi region keys with CloudTrail. When you configure a trail and want to encrypt the CloudTrail log files, you can use a single KMS key to encrypt the files. Just make sure the KMS key is in the same region as the S3 bucket where you're sending the log files to.
How do I find out what IAM user created certain metrics and alarms?
I tried CLI commands: describe-alarms and list-metrics and they don't seem to provide this information nor when looking at the configuration for the alarms and metrics in the AWS console.
While users call APIs to create resources in AWS, those resources are associated with the AWS Account rather than a user. As long as a user has permission to create resources in the account, the resources will be created/viewed/deleted.
However, you can use AWS CloudTrail to retrieve information about the API calls themselves:
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail. Events include actions taken in the AWS Management Console, AWS Command Line Interface, and AWS SDKs and APIs.
I'm starting with Alexa development and AWS in general. I've subscribed for the free tier, created my skill, set a AWS Lambda function and done some little testing. I got nothing more running on AWS.
What I've noticed that except for AWS Lambda and Cloudwatch usage I got requests to AWS Key Management Service on my Billing Dashboard. I'm not using any environment variables as this was one of the reasons for KMS requests suggested by Google.
From my billing management report I got 3 times more KMS requests than to my Lambda (30 vs 9). I know this is small number but KMS got 20k requests in the free tier and Lambda got 1000000 and I just don't understand how this connects to each other.
Is AWS KMS required for Lambda operation? What is it used for?
Many AWS services are using KMS to manage keys and access to keys while keeping them under your control.
The full list is documented here https://docs.aws.amazon.com/kms/latest/developerguide/service-integration.html
Pricing of KMS is per keys that you create and manage. https://aws.amazon.com/kms/pricing/
Keys automatically created by AWS Services are for free.
I just checked my bill and I am not charged for KMS at all.
I do suggest you to enable CloudTrail logs on your account to understand where the KMS calls you're seeing are originated from.
To query Cloudtrail logs, you can make a simple SQL query on Athena.
Doc to setup Athena for Cloudtrail : https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html
SQL Query to analyze kms calls :
SELECT eventtime,
useridentity.type,
eventsource,
eventname,
sourceipaddress,
eventtime
FROM "default"."cloudtrail_logs_logs_sst_cloudtrail"
WHERE eventsource = 'kms.amazonaws.com' AND
eventtime BETWEEN '2018-07-01' AND '2018-07-31' ;
I am using AWS KMS to encrypt and decrypt some data. I want to track all KMS accesses using AWS cloudtrail. When I open my cloudtrail events page, I can't see KMS related events. On KMS documentation page, it is mentioned that kms events are logged in cloudtrail.
Is there a setting to enable it?
KMS is not supported by CloudTrail Event History.
However, you can see the KMS logs if you setup a trail:
If you're looking for a specific API call that doesn't appear in the
event history, create a trail and check the log files in your S3
bucket.
The previous answer is no longer correct->
When a KMS key gets deleted, it goes through a scheduled key deletion period (7-30 days) and then gets deleted.
You can track the calls made on the ScheduleKeyDeletion and CancelKeyDeletion APIs through CloudTrail. After the waiting period ends, search in CloudTrail for DeleteKey .
On the AWS console, is there any history of users actions? I would like to see which of ours users has last modified a property of a S3 bucket for example
For this you can do few things.
Setup AWS CloudTrail to audit user actions to AWS S3
Enable logging for the S3 bucket and store the logs either in a bucket in the same account of in a different account (Better if you need more security).
Enable versioning on S3 buckets, so past versions remains and allows to revert the changes.
The best way to collect all user actions in AWS is using CloudTrail. Using CloudTrail you can also create trails that includes S3 object-level operation events.