By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I view my CloudHSM audit logs?

3 minute read
0

I want to view or monitor AWS CloudHSM activity for compliance or security reasons. For example, I want to know when a user created or used a key.

Resolution

CloudHSM sends audit logs collected by HSM instances to Amazon CloudWatch Logs. For more information, see Working with Amazon CloudWatch Logs and AWS CloudHSM Audit Logs.

To view CloudHSM audit logs, complete the following steps.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Get your HSM cluster ID

Note: If you know your HSM cluster ID, then skip this step.

To get your HSM cluster IP address, run the following command:

cat /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg | grep hostname

Then, run the describe-clusters AWS CLI command:
Note: Replace your-region with your AWS Region and your-ip-address with your HSM cluster IP address.

aws cloudhsmv2 describe-clusters --region your-region --query 'Clusters[*].Hsms[?EniIp==`your-ip-address`].{ClusterId:ClusterId}'

You receive an output similar to the following:

"ClusterID": "cluster-likphkxygsn"

AWS Management Console

Complete the following steps:

  1. Open the CloudWatch console for your Region.

  2. In the navigation pane, choose Logs.

  3. For Filter, enter the Log Group name prefix. For example, /aws/cloudhsm/cluster-likphkxygsn.

  4. For Log Streams, select the log stream for your HSM ID in your cluster. For example, hsm-nwbbiqbj4jk.

  5. To display audit events collected from the HSM device, expand the log streams.

  6. To list successful CRYPTO_USER logins, run the following command:

    Opcode CN_LOGIN User Type CN_CRYPTO_USER Response SUCCESS

  7. To list failed CRYPTO_USER logins, run the following command:

    Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE

  8. To list successful key deletion events, run the following command:

    Opcode CN_DESTROY_OBJECT Response SUCCESS

    The opcode identifies the management command that ran on the HSM. For more information about HSM management commands in audit log events, see HSM audit log reference.

AWS CLI

Complete the following steps:

  1. To list the log group names, run the describe-log-groups command:

    aws logs describe-log-groups --log-group-name-prefix "/aws/cloudhsm/cluster" --query 'logGroups[*].logGroupName'

  2. To list successful CRYPTO_USER logins, run the filter-log-events command with the following parameters:

    aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm-ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USERResponse SUCCESS" --output text"

  3. To list failed CRYPTO_USER logins, run the filter-log-events command with the following parameters:

    aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE" --output text

  4. To list successful key deletion, run the filter-log-events command with the following parameters:

    aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_DESTROY_OBJECT Response SUCCESS" --output text

For more information about log groups, log streams, and how to use Filter events, see Viewing HSM audit logs in CloudWatch Logs.

Related information

Interpreting HSM audit logs

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSM
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago
No comments

Relevant content