Once you’ve integrated with AWS CloudWatch, you have access to all metrics for Key Management Service (KMS), which helps you to encrypt data across your AWS workloads, digitally sign data, encrypt within your applications using AWS Encryption SDK, and generate and verify message authentication codes (MACs).
See all AWS integrations.
To verify metrics are reporting, search for the metrics on the Metric details page in Settings.
The following table shows the KMS metrics ingested by Cloud Observability.
| Metric Name | Unit | Description |
|---|---|---|
| aws.kms.seconds_until_key_material_expiration | seconds | The number of seconds remaining until the imported key material in a KMS key expires. This metric is valid only for KMS keys with imported key material (a key material origin of EXTERNAL) and an expiration date. |
| aws.kms.external_key_store_throttle | requests | The number of requests for cryptographic operations on KMS keys in each external key store that AWS KMS throttles (responds with a ThrottlingException). This metric applies only to external key stores. |
| aws.kms.xks_proxy_certificate_days_to_expire | days | The number of days until the TLS certificate for your external key store proxy endpoint (XksProxyUriEndpoint) expires. This metric applies only to external key stores. |
| aws.kms.xks_proxy_credential_age | days | The number of days since the current external key store proxy authentication credential (XksProxyAuthenticationCredential) was associated with the external key store. This count begins when you enter the authentication credential as part of creating or updating your external key store. This metric applies only to external key stores. |
| aws.kms.xks_proxy_errors | requests | The number of exceptions related to AWS KMS requests to your external key store proxy. This count includes exceptions that the external key store proxy returns to AWS KMS and timeout errors that occur when the external key store proxy does not respond to AWS KMS within the 250 millisecond timeout interval. This metric applies only to external key stores. |
| aws.kms.xks_external_key_manager_states | days | The number of days since the current external key store proxy authentication credential (XksProxyAuthenticationCredential) was associated with the external key store. This count begins when you enter the authentication credential as part of creating or updating your external key store. This metric applies only to external key stores. |
| aws.kms.xks_proxy_latency | milliseconds | The number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request. If the request timed out, the recorded value is the 250 millisecond timeout limit. This metric applies only to external key stores. |
See also
Updated Feb 1, 2023