Can Cloudtrail support KMS code signing transparency logs (e.g. by logging signatures)?

Question

I would like to use AWS KMS for code signing. Additionally, I would like to publish transparency logs as an assurance that the signing key has not signed unknown code. However CloudTrail logs don't include useful information about the response, such as the original message digest or the resulting signature. The log entry only seems to really record that a sign operation was requested against a key ID, at a specific time.

Is there any way to get more detailed information about key use from KMS?

requestParameters	
  keyId	"4ae12714-..."
  messageType	"DIGEST"
  signingAlgorithm	"RSASSA_PKCS1_V1_5_SHA_512"
responseElements	null
requestID	"6f955fef-..."
eventID	"40787b80-..."

Is there any way to get more detailed information about key use from KMS?

```
requestParameters	
  keyId	"4ae12714-..."
  messageType	"DIGEST"
  signingAlgorithm	"RSASSA_PKCS1_V1_5_SHA_512"
responseElements	null
requestID	"6f955fef-..."
eventID	"40787b80-..."
```

Johan Staring · Accepted Answer

CloudTrail does intentionally not log the message part of the invocation, nor the signature part of the response, and this is non-configurable.

If you want to build that, the easiest way is probably to write your own wrapper to kms.sign() and handle the logging there (so from your own application code), or, if it fits the requirements, the purpose-built [AWS Signer](https://docs.aws.amazon.com/signer/latest/developerguide/Welcome.html) which maintains its own signing audit trail.

Can Cloudtrail support KMS code signing transparency logs (e.g. by logging signatures)?

Add your answer

Relevant content