--- title: AWS KMS description: Simplifies creating and managing encryption keys for data encryption purposes. breadcrumbs: Docs > Integrations > AWS KMS --- # AWS KMS Integration version1.0.0 ## Overview{% #overview %} AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. Enable this integration to see in Datadog all your KMS metrics. ## Setup{% #setup %} ### Installation{% #installation %} If you haven't already, set up the [Amazon Web Services integration first](https://docs.datadoghq.com/integrations/amazon_web_services/). ### Metric collection{% #metric-collection %} 1. In the [AWS integration page](https://app.datadoghq.com/integrations/amazon-web-services), ensure that `KMS` is enabled under the `Metric Collection` tab. 1. Install the [Datadog - AWS Key Management Service (KMS) integration](https://app.datadoghq.com/integrations/amazon-kms). ### Log collection{% #log-collection %} #### Enable logging{% #enable-logging %} Configure AWS KMS to send logs either to a S3 bucket or to CloudWatch. **Note**: If you log to a S3 bucket, make sure that `amazon_kms` is set as *Target prefix*. #### Send logs to Datadog{% #send-logs-to-datadog %} 1. If you haven't already, set up the [Datadog Forwarder Lambda function](https://docs.datadoghq.com/logs/guide/forwarder/). 1. Once the Lambda function is installed, manually add a trigger on the S3 bucket or CloudWatch log group that contains your AWS KMS logs in the AWS console: - [Add a manual trigger on the S3 bucket](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/#collecting-logs-from-s3-buckets) - [Add a manual trigger on the CloudWatch Log Group](https://docs.datadoghq.com/logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/#collecting-logs-from-cloudwatch-log-group) ## Data Collected{% #data-collected %} ### Metrics{% #metrics %} | | | | | **aws.kms.seconds\_until\_key\_material\_expiration**(gauge) | The number of seconds remaining until the earliest-expiring imported key material in a KMS key expires.*Shown as second* | | **aws.kms.successful\_request**(count) | The number of successful requests for cryptographic operations on a specific KMS key.*Shown as request* | | **aws.kms.xks\_proxy\_credential\_age**(gauge) | The number of days since the current external key store proxy authentication credential was associated with the external key store.*Shown as day* | | **aws.kms.cloud\_hsm\_key\_store\_throttle**(count) | The number of requests for cryptographic operations on KMS keys in AWS CloudHSM key store that AWS KMS throttles.*Shown as request* | | **aws.kms.external\_key\_store\_throttle**(count) | The number of requests for cryptographic operations on KMS keys in external key store that AWS KMS throttles.*Shown as request* | | **aws.kms.xks\_proxy\_certificate\_days\_to\_expire**(gauge) | The number of days until the TLS certificate for the external key store proxy endpoint expires.*Shown as day* | | **aws.kms.xks\_external\_key\_manager\_states**(count) | The count of external key manager instances in various health states for external key stores.*Shown as instance* | | **aws.kms.xks\_proxy\_latency**(gauge) | The number of milliseconds it takes for an external key store proxy to respond to an AWS KMS request.*Shown as millisecond* | | **aws.kms.xks\_proxy\_errors**(count) | The number of exceptions related to AWS KMS requests to the external key store proxy.*Shown as error* | Each of the metrics retrieved from AWS are assigned the same tags that appear in the AWS console, including but not limited to host name, security-groups, and more. ### Events{% #events %} The AWS KMS integration does not include any events. ### Service Checks{% #service-checks %} The AWS KMS integration does not include any service checks. ## Troubleshooting{% #troubleshooting %} Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).