I need to view or monitor AWS CloudHSM activity for compliance or security reasons. For example, I need to know when a user created or used a key.

CloudHSM sends audit logs collected by HSM instances to Amazon CloudWatch Logs. For more information, see Monitoring AWS CloudHSM Logs.

Follow these instructions to view CloudHSM audit logs.

AWS Management Console

1.    Open the CloudWatch console for your Region.

2.    In the navigation pane, choose Logs.

3.    In Filter, enter the Log Group name prefix. For example, /aws/cloudhsm/cluster-likphkxygsn.

4.    In Log Streams, choose the log stream for your HSM ID in your cluster. For example, hsm-nwbbiqbj4jk.

Note: For more information about log groups, log streams, and using Filter events, see Viewing Audit Logs in CloudWatch Logs.

5.    Expand the log streams to display audit events collected from the HSM device.

6.    To list successful CRYPTO_USER log-ins, enter:

Opcode CN_LOGIN User Type CN_CRYPTO_USER Response SUCCESS

7.    To list failed CRYPTO_USER log-ins, enter:

Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE

8.    To list successful key deletion events, enter:

Opcode CN_DESTROY_OBJECT Response SUCCESS

The Opcode identifies the management command that was executed on the HSM. For more information about HSM management commands in audit log events, see Audit Log Reference.

AWS Command Line Interface (AWS CLI)

1.    Use the describe-log-groups command to list the log group names.

aws logs describe-log-groups --log-group-name-prefix "/aws/cloudhsm/cluster" --query 'logGroups[*].logGroupName'

2.    Use this command to list successful CRYPTO_USER logins.

aws logs  filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd"  --log-stream-name-prefix <hsm-ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USER
Response SUCCESS"  --output text"

3.    Use this command to list failed CRYPTO_USER logins.

aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_LOGIN User Type CN_CRYPTO_USER Response RET_USER_LOGIN_FAILURE"  --output text

4.    Use this command to list successful key deletion.

aws logs filter-log-events --log-group-name "/aws/cloudhsm/cluster-exampleabcd" --log-stream-name-prefix <hsm ID> --filter-pattern "Opcode CN_DESTROY_OBJECT Response SUCCESS" --output text

For more information, see Viewing Audit Logs in CloudWatch Logs.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-12-26

Updated: 2019-01-09