AWS Key Management Service (KMS)

Docs > Integrations > AWS Key Management Service (KMS)

Overview

AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Enable this integration to see in Datadog all your KMS metrics.

Setup

Installation

If you haven’t already, set up the Amazon Web Services integration first.

Metric collection

In the AWS integration page, ensure that KMS is enabled under the Metric Collection tab.
Install the Datadog - AWS Key Management Service (KMS) integration.

Log collection

Enable logging

Configure AWS KMS to send logs either to a S3 bucket or to CloudWatch.

Note: If you log to a S3 bucket, make sure that amazon_kms is set as Target prefix.

Send logs to Datadog

If you haven’t already, set up the Datadog Forwarder Lambda function.
Once the Lambda function is installed, manually add a trigger on the S3 bucket or CloudWatch log group that contains your AWS KMS logs in the AWS console:
- Add a manual trigger on the S3 bucket
- Add a manual trigger on the CloudWatch Log Group

Data Collected

Metrics

aws.kms.seconds_until_key_material_expiration
(gauge)

This metric tracks the number of seconds remaining until imported key material expires.
Shown as second

Each of the metrics retrieved from AWS are assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more.

Events

The AWS KMS integration does not include any events.

Service Checks

The AWS KMS integration does not include any service checks.

Troubleshooting

Need help? Contact Datadog support.