AWS Cloudhsm

Crawler Crawler


When an HSM in your account receives a command from the AWS CloudHSM command line tools or software libraries, it records its execution of the command in audit log form. The HSM audit logs include all client-initiated management commands, including those that create and delete the HSM, log into and out of the HSM, and manage users and keys. These logs provide a reliable record of actions that have changed the state of the HSM.

Datadog integrates with AWS CloudHSM through a Lambda function that ships CloudHSM logs to Datadog’s Log Management solution.


Log collection

Enable logs

Audit logs are enabled by default for CloudHSM.

Send your logs to Datadog

  1. If you haven’t already, set up the Datadog log collection AWS Lambda function.
  2. Once the lambda function is installed, manually add a trigger on the Cloudwatch Log group that contains your CloudHSM logs in the AWS console:
    cloudwatch log group
    Select the corresponding CloudWatch Log group, add a filter name (but feel free to leave the filter empty) and add the trigger.
    cloudwatch trigger

Once done, go in your Datadog Log section to start exploring your logs!


Need help? Contact Datadog Support.