How do I find the past usage of my AWS KMS keys?
I want to find past usage of my AWS Key Management Service (AWS KMS) keys.
Resolution
You can't directly identify inactive KMS keys. However, you can use AWS CloudTrail and Amazon Athena to track key usage.
Use CloudTrail event history
You can use the CloudTrail console to view the last 90 days of management events in an AWS Region. After 90 days, events no longer appear in Event history.
Complete the following steps:
- Open the CloudTrail console.
- Choose your Region.
- In the navigation pane, choose Event History.
- On the Event history page, for Lookup attributes, select Event source. Then, in the search field, enter kms.amazonaws.com to view AWS KMS API calls.
- In the Filter by date and time field, select a time range to review recent activity.
You can review the Event record for each event to identify the key ARN, user identity, and the invoking service.
Note: If you have multiple AWS KMS events, then this option can take a long time.
Use Athena to query CloudTrail logs
Complete the following steps:
- Create an Athena table from the CloudTrail logs.
- To retrieve AWS KMS API calls and filter by key ARN, run the following Athena query:
SELECT eventName, COUNT(eventName) AS NumberOfChanges, eventSource, resources FROM "default"."your-table-name" WHERE eventSource = 'kms.amazonaws.com' AND ARRAY_JOIN(TRANSFORM(resources, x -> x.arn), '') LIKE '%kms-key-id%' OR CAST(requestParameters AS VARCHAR) LIKE '%kms-key-id%' GROUP BY eventName, eventSource, resources ORDER BY NumberOfChanges DESC
Note: In the preceding code example, replace the values with your Athena table name and KMS key ID values.
To filter by a specific time period, add a condition to the WHERE clause:
AND eventtime >= 'YYYY-MM-DDT00:00:00Z' AND eventtime <= 'YYYY-MM-DDT00:00:00Z'
Note: For Athena, you are charged for the queries that you run.
Related information
- Argomenti
- Security, Identity, & Compliance
- Lingua
- English
