How do I view my AWS CloudHSM audit logs?

Last updated: 2020-08-27

I need to view or monitor AWS CloudHSM activity for compliance or security reasons. For example, I need to know when a user created or used a key.

Short description

CloudHSM sends audit logs collected by HSM instances to Amazon CloudWatch Logs. For more information, see Monitoring AWS CloudHSM logs.

Resolution

Follow these instructions to view CloudHSM audit logs.

Important: Before you begin, be sure that you have installed and configured the AWS Command Line Interface (AWS CLI).

Get your HSM cluster ID

Note: If you already know what your HSM cluster ID is, you can skip this step.

1.    Run this AWS CLI command to get your HSM cluster IP address.

cat /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg | grep hostname

2.    Run this AWS CLI command.

Note: Replace your-region with your AWS Region and your-ip-address with your HSM cluster IP address.

aws cloudhsmv2 describe-clusters --region your-region --query 'Clusters[*].Hsms[?EniIp==`your-ip-address`].{ClusterId:ClusterId}'

You receive an output similar to the following.

"ClusterID": "cluster-likphkxygsn"

AWS Management Console

1.    Open the CloudWatch console for your Region.

2.    In the navigation pane, choose Logs.

3.    In Filter, enter the Log Group name prefix. For example, /aws/cloudhsm/cluster-likphkxygsn.

4.    In Log Streams, choose the log stream for your HSM ID in your cluster. For example, hsm-nwbbiqbj4jk.

Note: For more information about log groups, log streams, and using Filter events, see Viewing audit logs in CloudWatch logs.

5.    Expand the log streams to display audit events collected from the HSM device.

6.    To list successful CRYPTO_USER logins, enter:

Opcode CN_LOGIN User Type CN_CRYPTO_USER Response SUCCESS

7.    To list failed CRYPTO_USER logins, enter:

Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE

8.    To list successful key deletion events, enter:

Opcode CN_DESTROY_OBJECT Response SUCCESS

The opcode identifies the management command that ran on the HSM. For more information about HSM management commands in audit log events, see Audit log reference.

AWS Command Line Interface (AWS CLI)

1.    Use the describe-log-groups command to list the log group names.

aws logs describe-log-groups --log-group-name-prefix "/aws/cloudhsm/cluster" --query 'logGroups[*].logGroupName'

2.    Use this command to list successful CRYPTO_USER logins.

aws logs  filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd"  --log-stream-name-prefix <hsm-ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USER
Response SUCCESS"  --output text"

3.    Use this command to list failed CRYPTO_USER logins.

aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE"  --output text

4.    Use this command to list successful key deletion.

aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_DESTROY_OBJECT Response SUCCESS" --output text

For more information, see Viewing audit logs in CloudWatch logs.


Did this article help?


Do you need billing or technical support?