Once you’ve integrated with AWS CloudWatch, you have access to all metrics for Key Management Service (KMS), which helps you to encrypt data across your AWS workloads, digitally sign data, encrypt within your applications using AWS Encryption SDK, and generate and verify message authentication codes (MACs).
See all available AWS integrations.
To verify metrics are reporting, search for the metrics on the Metric details page in Project settings.
The following table shows the KMS metrics ingested by Lightstep.
|aws.kms.seconds_until_key_material_expiration||seconds||The number of seconds remaining until the imported key material in a KMS key expires. This metric is valid only for KMS keys with imported key material (a key material origin of EXTERNAL) and an expiration date.|
|aws.kms.external_key_store_throttle||requests||The number of requests for cryptographic operations on KMS keys in each external key store that AWS KMS throttles (responds with a
|aws.kms.xks_proxy_certificate_days_to_expire||days||The number of days until the TLS certificate for your external key store proxy endpoint (
|aws.kms.xks_proxy_credential_age||days||The number of days since the current external key store proxy authentication credential (
|aws.kms.xks_proxy_errors||requests||The number of exceptions related to AWS KMS requests to your external key store proxy. This count includes exceptions that the external key store proxy returns to AWS KMS and timeout errors that occur when the external key store proxy does not respond to AWS KMS within the 250 millisecond timeout interval. This metric applies only to external key stores.|
|aws.kms.xks_external_key_manager_states||days||The number of days since the current external key store proxy authentication credential (
|aws.kms.xks_proxy_latency||milliseconds||The number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request. If the request timed out, the recorded value is the 250 millisecond timeout limit. This metric applies only to external key stores.|