Download PDF
Download page AWS Key Management Service.
AWS Key Management Service
AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and AWS services.
Cisco Cloud Observability only monitors KMS keys with key material origin values of AWS_KMS and EXTERNAL(Import key material). KMS keys that originate from an AWS CloudHSM or external key store are not monitored.
You must configure cloud connections to monitor this entity. See Set up Cisco AppDynamics Cloud Collectors to Monitor AWS.
Cisco Cloud Observability displays AWS entities on the Observe page. Metrics are displayed for specific entity instances in the list and detail views.
This document contains references to third-party documentation. Splunk AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.
List View
To display the list view for an AWS KMS key:
- Navigate to the Observe page.
- Under Cloud Governance & Security Management, click AWS KMS Keys.
The list view now displays a list of all of your KMS keys and a subset of their properties. - From the list, click a row to display the tags and full list of properties for the KMS key.
Metrics and Key Performance Indicators
Cisco Cloud Observability displays the following metrics and key performance indicators (KPIs) for AWS KMS keys. For more information, see Monitoring with Amazon CloudWatch.
| Display Name | Source Metric Name | Description |
|---|---|---|
| Key Material Expiration Seconds | SecondsUntilKeyMaterialExpiration | The number of seconds remaining until the imported key material in a KMS key expires. This metric is valid only for KMS keys with imported key material (a key material origin of EXTERNAL) and an expiration date. |
Properties (Attributes)
Cisco Cloud Observability displays the following properties for AWS KMS keys.
| Display Name | Property Name | Description |
|---|---|---|
| Arn | aws.kms_key.arn | The Amazon Resource Name (ARN) of the KMS key. |
| Key Id | cloud.managed_key.key_id | The unique identifier of the KMS key. |
| Creation Date | aws.kms_key.creation_date | The date and time when the KMS key was created. |
| Enabled | aws.kms_key.enabled | Specifies whether the KMS key is enabled. |
| Description | aws.kms_key.description | The description of the KMS key. |
| Key Usage | aws.kms_key.key_usage | The cryptographic operations for which you can use the KMS key. |
Key State | aws.kms_key.key_state | The current status of the KMS key. |
| Deletion Date | aws.kms_key.deletion_date | The date and time after which KMS deletes this KMS key. This value is present only when the KMS key is scheduled for deletion (when its KeyState is PendingDeletion). |
Origin | aws.kms_key.origin | The source of the key material for the KMS key. When this value is AWS_KMS, KMS created the key material. When this value is EXTERNAL, the key material was imported or the KMS key doesn't have any key material. |
Expiration Model | aws.kms_key.expiration_model | Specifies whether the KMS key's key material expires. This value is present only when Origin is EXTERNAL; otherwise, this value is omitted. |
Valid To | aws.kms_key.valid_to | The time at which the imported key material expires. |
Key Manager | aws.kms_key.key_manager | The manager of the KMS key. KMS keys in your Amazon Web Services account are either customer managed or Amazon Web Services managed. |
Key Spec | aws.kms_key.key_spec | The manager of the KMS key. KMS keys in your Amazon Web Services account are either customer managed or Amazon Web Services managed. |
Multi Region | aws.kms_key.multi_region | Indicates whether the KMS key is a multi-Region (True) or regional (False) key. |
Pending Deletion Window In Days | aws.kms_key.pending_deletion_window_in_days | Indicates whether the KMS key is a multi-Region (True) or regional (False) key. |
Account Id | cloud.account.id | The cloud account ID the resource is assigned to. |
Region | cloud.region | The geographical region in which the resource resides. |
Retention and Purge Time-To-Live (TTL)
For all cloud and infrastructure entities, the retention TTL is 180 minutes (3 hours) and the purge TTL is 525,600 minutes (365 days).
Amazon Web Services, the AWS logo, AWS, and any other AWS Marks used in these materials are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.