Auditing KMS AWS owned key


Hello folks!

I am trying to audit an AWS owned key using Cloudtrail, the intention is to eventually create a metric filter in Cloudwatch that will generate an alert in case of unwanted usage of that key to perform crypto operations. I read in the AWS documentation ( that AWS owned keys cannot be audited: "You do not need to create or manage the AWS owned keys. However, you cannot view, use, track, or audit them". However in my default Cloudtrail for management events, I can see Decrypt events that use that AWS managed key based on the arn of the key itself. I am wondering if anybody here has ever tried to track usage of an AWS owned key and/or trying to achieve the same goal I am describing in this post?


  • Seems entirely plausible that auditing is possible.

    I inspected Cloudwatch and it does not report having any metrics available to display.

    Maybe you would need to make a EventBridge rule attached to a lambda that logs them to CloudWatch

2 Answers
Accepted Answer

Hi Nicco, most AWS services offer the choice of an AWS managed CMK, or an AWS owned CMK.

As explained in the docs, the AWS managed CMK is visible in the customer's account. Customers can view the CMK and its key state, and use GetKeyPolicy to view (but not change) the key policy. They can also track use of the AWS managed CMK by AWS services in CloudTrail logs. The key policy uses a kms:ViaService condition key that allows the key to be used only by the service on the customer's behalf; not by the customer directly. Also, customers are charged a per-use rate for AWS managed CMKs, although some services eat that cost.

These features are not available on an AWS owned CMK (In your account, it is displayed as aws/servicename, eg. aws/ebs), which is not in customer's account. However, despite the decreased visibility, the key is easy to use. The service creates, maintains, and uses the CMK on the customer's behalf.

answered 2 years ago

There is a difference between "AWS Owned" and "AWS Managed" keys. What you are seeing in the logs is the "AWS Managed" keys.

profile pictureAWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions