Managing AWS Reports
CCKM provides options to generate key visibility reports based on:
Key-related activities between CCKM and AWS KMS
Track keys by their expiration dates
What applications are using the keys
AWS reports are categorized as:
Key Activity Report: Inspect individual AWS key histories by operations, for example, when they were refreshed, rotated, edited, or deleted. Also, use this report to compare key activities between CCKM and AWS KMS.
Key Aging Report: Track keys by their expiration dates. Audit a range of dates, from past material deletions to future scheduled deletions, within the selected AWS KMS account.
Service/Usage Report: Monitor key usage by tracking services and applications consuming the keys. View when and where a service requests the use of each key.
Prerequisites
For generating CCKM reports, logs are fetched from AWS using the CloudTail and CloudWatch services. You need to configure these services on the AWS console. This includes specifying trail name, storage location, log group name, IAM role, and event types.
Attach the following policy to the IAM role linked with the log group:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:DescribeLogGroups",
"logs:FilterLogEvents"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Creating AWS Reports
To create an AWS report:
Open the Cloud Key Manager application.
In the left pane, click Reports > AWS. The AWS Reports page is displayed.
Click Add Report. The Choose Report Type and Name screen of the Add AWS Report wizard is displayed.
Under Select Report Type, select a report type. The options are:
Key Activity Report
Key Aging Report
Service/Usage Report
Specify a Report Name. This is a mandatory field.
Click Next. The Select Log groups screen of the wizard is displayed.
Select an AWS KMS from the drop-down list.
(Not applicable to Key Aging Report) Select a Log Region from the drop-down list. The drop-down list shows the log regions of the selected AWS KMS account.
When a log region is selected, its log groups (if any) are populated in the Log Group Name drop-down list.
(Not applicable to Key Aging Report) Select a Log Group Name from the drop-down list.
Click Add. The selected log group is displayed under Selected Log Groups. Add more log groups, if required.
Click Next. The Set Start and End Dates screen of the wizard is displayed.
In the Include Entries From field, specify the start date and time for the report.
Click the field and select the date and time on the on-screen calender.
Alternatively, enter the time in
MM/DD/YYYY
HH:MM
format.
In the To field, specify the end date and time for the report.
Click Save.
A success message Created
Viewing AWS Reports
The AWS Reports page displays the list of existing reports. Filter the reports by their names.
To view existing AWS reports:
Open the Cloud Key Manager application.
In the left pane, click Reports > AWS. The list of available reports is displayed. The following details of the reports are displayed:
Column Name Description Report Name Name of the report. Run Date When the report is run. Type Type of the report. The type can be:
• Key Activity Report
• Key Aging Report
• Service/Usage ReportStart Date Start date from when the report is generated. If a report is run now, its status becomes Running Now. End Date End date for the report.
Viewing Details of an AWS Report
To view the details of an AWS report:
Open the Cloud Key Manager application.
In the left pane, click Reports > AWS. The list of available reports is displayed.
Click the desired Report Name link. The details of report are displayed.
Alternatively, click the overflow icon () corresponding to the desired alias and click View.
Downloading AWS Reports
To download an AWS report as a CSV file:
Open the Cloud Key Manager application.
In the left pane, click Reports > AWS. The list of available reports is displayed.
Click the overflow icon () corresponding to the desired alias and click Download.
Alternatively, click the desired report under Report Name, and click Download CSV in the detail view.
The report is downloaded as a CSV file.
Deleting AWS Reports
To delete an AWS report:
Open the Cloud Key Manager application.
In the left pane, click Reports > AWS. The list of available reports is displayed.
Click the overflow icon () corresponding to the desired alias and click Delete. The Confirm Delete Report message is displayed.
Click Delete Report.
The report is removed from the list of reports.