This document explains how to ingest AWS Key Management Service (KMS) logs to Google Security Operations. AWS KMS is a fully managed service that lets you to create and control encryption keys used to encrypt your data. This integration helps in monitoring and auditing the usage of encryption keys.
Before you begin
Ensure you have the following prerequisites:
Google SecOps instance
Privileged access to AWS
Configure Amazon S3 and IAM
Create an Amazon S3 bucket following this user guide: Creating a bucket
In the search bar, type and select CloudTrail from the services list.
Click Create trail.
Provide a Trail name (for example, KMS-Activity-Trail).
Select the Enable for all accounts in my organization checkbox.
Type the S3 bucket URI created earlier (the format should be: s3://your-log-bucket-name/), or create a new S3 bucket.
If SSE-KMS enabled, provide a name for AWS KMS alias, or choose an existing AWS KMS Key.
You can leave the other settings as default.
Click Next.
Select Management events and Data events under Event Types.
Click Next.
Review the settings in Review and create.
Click Create trail.
Optional: if you created a new bucket, continue with the following process:
Go to S3.
Identify and select the newly created log bucket.
Select the folder AWSLogs.
Click Copy S3 URI and save it.
Set up feeds
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started
How to set up the AWS Key Management Service feed
Click the Amazon Cloud Platform pack.
Locate the AWS Key Management Service log type.
Specify the values in the following fields.
Source Type: Amazon SQS V2
Queue Name: The SQS queue name to read from
S3 URI: The bucket URI.
s3://your-log-bucket-name/
Replace your-log-bucket-name with the actual name of your S3 bucket.
Source deletion options: Select the deletion option according to your ingestion preferences.
Maximum File Age: Include files modified in the last number of days. Default is 180 days.
SQS Queue Access Key ID: An account access key that is a 20-character alphanumeric string.
SQS Queue Secret Access Key: An account access key that is a 40-character alphanumeric string.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Asset Namespace: Namespace associated with the feed.
Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM Mapping Table
Log Field
UDM Mapping
Logic
data.detail.awsRegion
principal.location.country_or_region
Directly mapped from the data.detail.awsRegion field in the raw log.
data.detail.eventCategory
security_result.category_details
Directly mapped from the data.detail.eventCategory field in the raw log.
data.detail.eventName
metadata.product_event_type
Directly mapped from the data.detail.eventName field in the raw log. This field determines the metadata.event_type value based on the logic: if eventName is "Decrypt" or "Encrypt", then event_type is "USER_RESOURCE_ACCESS", if eventName is "GenerateDataKey" then event_type is "USER_RESOURCE_CREATION", otherwise event_type is "GENERIC_EVENT".
data.detail.requestID
additional.fields.key
Value is hardcoded to "requestID" in the parser code.
data.detail.requestID
additional.fields.value.string_value
Directly mapped from the data.detail.requestID field in the raw log.
data.detail.requestParameters.encryptionAlgorithm
security_result.detection_fields.key
Value is hardcoded to "encryptionAlgorithm" in the parser code.
data.detail.requestParameters.encryptionAlgorithm
security_result.detection_fields.value
Directly mapped from the data.detail.requestParameters.encryptionAlgorithm field in the raw log.
data.detail.resources.ARN
target.resource.id
Directly mapped from the data.detail.resources.ARN field in the raw log.
data.detail.resources.type
target.resource.resource_subtype
Directly mapped from the data.detail.resources.type field in the raw log.
Directly mapped from the data.detail.userIdentity.sessionContext.sessionIssuer.userName field in the raw log.
data.detail.userIdentity.type
principal.user.attribute.roles.name
Directly mapped from the data.detail.userIdentity.type field in the raw log.
data.id
metadata.product_log_id
Directly mapped from the data.id field in the raw log.
data.time
metadata.event_timestamp.seconds
The seconds value of the timestamp parsed from the data.time field in the raw log.
N/A
metadata.event_type
This field is derived by the parser logic based on the value of data.detail.eventName: if eventName is "Decrypt" or "Encrypt", then event_type is "USER_RESOURCE_ACCESS", if eventName is "GenerateDataKey" then event_type is "USER_RESOURCE_CREATION", otherwise event_type is "GENERIC_EVENT".
N/A
metadata.log_type
Value is hardcoded to "AWS_KMS" in the parser code.
N/A
metadata.product_name
Value is hardcoded to "AWS Key Management Service" in the parser code.
N/A
metadata.vendor_name
Value is hardcoded to "AMAZON" in the parser code.
N/A
principal.asset.attribute.cloud.environment
Value is hardcoded to "AMAZON_WEB_SERVICES" in the parser code.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide outlines how to ingest AWS Key Management Service (KMS) logs into Google Security Operations for monitoring and auditing encryption key usage.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves configuring an Amazon S3 bucket and IAM user in AWS, creating a CloudTrail trail for AWS KMS, and setting up a feed in Google SecOps to pull the AWS logs from the S3 bucket.\u003c/p\u003e\n"],["\u003cp\u003eTo set up a feed in Google SecOps, you will need the S3 bucket details (region and URI), along with the access key ID and secret access key of the AWS IAM user with S3 permissions.\u003c/p\u003e\n"],["\u003cp\u003eThe data from the AWS KMS logs are mapped to UDM fields, such as principal location, security result details, product event type, resource identifiers, and user information, among others.\u003c/p\u003e\n"],["\u003cp\u003eThis feature is covered by the Pre-GA Offerings Terms of Google Security Operations Service Specific Terms and may have limited support.\u003c/p\u003e\n"]]],[],null,["# Collect AWS Key Management Service logs\n=======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest AWS Key Management Service (KMS) logs to Google Security Operations. AWS KMS is a fully managed service that lets you to create and control encryption keys used to encrypt your data. This integration helps in monitoring and auditing the usage of encryption keys.\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- Privileged access to AWS\n\nConfigure Amazon S3 and IAM\n---------------------------\n\n1. Create an **Amazon S3 bucket** following this user guide: [Creating a bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/creating-bucket.html)\n2. Save the bucket **Name** and **Region** for later use.\n3. Create a user following this user guide: [Creating an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_console).\n4. Select the created **User**.\n5. Select the **Security credentials** tab.\n6. Click **Create Access Key** in the **Access Keys** section.\n7. Select **Third-party service** as the **Use case**.\n8. Click **Next**.\n9. Optional: add a description tag.\n10. Click **Create access key**.\n11. Click **Download CSV file** to save the **Access Key** and **Secret Access Key** for later use.\n12. Click **Done**.\n13. Select the **Permissions** tab.\n14. Click **Add permissions** in the **Permissions policies** section.\n15. Select **Add permissions**.\n16. Select **Attach policies directly**.\n17. Search for and select the **AmazonS3FullAccess** policy.\n18. Click **Next**.\n19. Click **Add permissions**.\n\nHow to configure CloudTrail for AWS KMS\n---------------------------------------\n\n1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/).\n2. In the search bar, type and select **CloudTrail** from the services list.\n3. Click **Create trail**.\n4. Provide a **Trail name** (for example, **KMS-Activity-Trail**).\n5. Select the **Enable for all accounts in my organization** checkbox.\n6. Type the S3 bucket URI created earlier (the format should be: `s3://your-log-bucket-name/`), or create a new S3 bucket.\n7. If SSE-KMS enabled, provide a name for **AWS KMS alias** , or choose an **existing AWS KMS Key**.\n8. You can leave the other settings as default.\n9. Click **Next**.\n10. Select **Management events** and **Data events** under **Event Types**.\n11. Click **Next**.\n12. Review the settings in **Review and create**.\n13. Click **Create trail**.\n14. Optional: if you created a new bucket, continue with the following process:\n 1. Go to **S3**.\n 2. Identify and select the newly created log bucket.\n 3. Select the folder **AWSLogs**.\n 4. Click **Copy S3 URI** and save it.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the AWS Key Management Service feed\n-------------------------------------------------\n\n1. Click the **Amazon Cloud Platform** pack.\n2. Locate the **AWS Key Management Service** log type.\n3. Specify the values in the following fields.\n\n - **Source Type**: Amazon SQS V2\n - **Queue Name**: The SQS queue name to read from\n - **S3 URI** : The bucket URI.\n - `s3://your-log-bucket-name/`\n - Replace `your-log-bucket-name` with the actual name of your S3 bucket.\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Include files modified in the last number of days. Default is 180 days.\n\n - **SQS Queue Access Key ID**: An account access key that is a 20-character alphanumeric string.\n\n - **SQS Queue Secret Access Key**: An account access key that is a 40-character alphanumeric string.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace**: Namespace associated with the feed.\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
