AWS Key Management Service (AWS KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt data. The customer master keys that are created in AWS KMS are protected by hardware security modules (HSMs). The HSMs are validated by the FIPS 140-2 Cryptographic Module Validation Program except in the China (Beijing) and China (Ningxia) Regions.

Customer Managed Keys Resource Information:

  • Type of Resource: Generic monitorable resource
  • Discovery type: AWS SDK discovery type
  • Discovery profile selection: Resource can be discovered by “Customer Managed Keys” in the profiler
  • ResourceTag: AWS_KMS_CUSTOMER_MANAGED_KEYS
  • Resource Unique Identification: keyId (key.keyId())
  • Dependencies: Customer Managed Keys may be used by various AWS services for encryption

AWS Managed Keys Resource Information:

  • Type of Resource: Generic non-monitorable resource
  • Discovery type: AWS SDK discovery type
  • Discovery profile selection: Resource can be discovered by “AWS Managed Keys” in the profiler
  • ResourceTag: AWS_KMS_AWS_MANAGED_KEYS
  • Resource Unique Identification: keyId (key.keyId())
  • Dependencies: AWS Managed Keys are managed by AWS services for encryption

Custom Key Store Resource Information:

  • Type of Resource: Generic non-monitorable resource
  • Discovery type: AWS SDK discovery type
  • Discovery profile selection: Resource can be discovered by “Custom Key Store” in the profiler
  • ResourceTag: AWS_KMS_CUSTOM_KEY_STORES
  • Resource Unique Identification: customKeyStoreId (customKey.customKeyStoreId())
  • Dependencies: Custom Key Store may depend on AWS CloudHSM clusters

AWS KMS is integrated with most other AWS services that encrypt data with encryption keys. AWS KMS is also integrated with AWS CloudTrail to provide encryption key usage logs to help meet auditing, regulatory and compliance needs.

Use the AWS public cloud integration to discover and collect metrics against the AWS service.

External reference

What is AWS Key Management Service?

Setup

To set up the AWS integration and discover the AWS service, go to AWS Integration Discovery Profile and select Kms.

Event support

CloudTrail event support

  • Supported (CreateKey)
  • Configurable in OpsRamp AWS Integration Discovery Profile.

CloudWatch alarm support

  • Supported
  • Configurable in OpsRamp AWS Integration Discovery Profile.

Supported metrics

OpsRamp MetricMetric Display NameUnitAggregation Type
aws_kms_SecondsUntilKeyMaterialExpiration

Number of seconds remaining until imported key material expires.		SecondsUntilKeyMaterialExpirationSecondsMinimum