- Más nuevo
- Más votos
- Más comentarios
Hi Nicco, most AWS services offer the choice of an AWS managed CMK, or an AWS owned CMK.
As explained in the docs, the AWS managed CMK is visible in the customer's account. Customers can view the CMK and its key state, and use GetKeyPolicy to view (but not change) the key policy. They can also track use of the AWS managed CMK by AWS services in CloudTrail logs. The key policy uses a kms:ViaService condition key that allows the key to be used only by the service on the customer's behalf; not by the customer directly. Also, customers are charged a per-use rate for AWS managed CMKs, although some services eat that cost.
These features are not available on an AWS owned CMK (In your account, it is displayed as aws/servicename, eg. aws/ebs), which is not in customer's account. However, despite the decreased visibility, the key is easy to use. The service creates, maintains, and uses the CMK on the customer's behalf.
There is a difference between "AWS Owned" and "AWS Managed" keys. What you are seeing in the logs is the "AWS Managed" keys.
Contenido relevante
- OFICIAL DE AWSActualizada hace 5 meses
- OFICIAL DE AWSActualizada hace 6 meses
- OFICIAL DE AWSActualizada hace un año
Seems entirely plausible that auditing is possible.
I inspected Cloudwatch and it does not report having any metrics available to display.
Maybe you would need to make a EventBridge rule attached to a lambda that logs them to CloudWatch