Monitoring & Auditing

Monitoring Overview

Monitoring and Auditing in AWS Secrets Manager provides comprehensive visibility into secret operations, access patterns, and security events through CloudTrail, CloudWatch, and AWS Config integration.

CloudTrail: All API calls logged automatically

CloudWatch: Metrics for rotation and access patterns

AWS Config: Compliance rules and configuration tracking

CloudWatch Metrics

Rotation Metrics

RotationSucceeded, RotationFailed, RotationAbandoned

Access Metrics

SecretRetrievals, SecretUpdates, SecretCreations

Error Metrics

APIErrors, ThrottlingErrors, AccessDeniedErrors

CloudWatch Alarm Example

                            aws cloudwatch put-metric-alarm \

                              --alarm-name "SecretsManager-RotationFailure" \

                              --metric-name RotationFailed \

                              --namespace AWS/SecretsManager \

                              --statistic Sum \

                              --period 300 \

                              --threshold 1 \

                              --comparison-operator GreaterThanOrEqualToThreshold

Rotation Compliance

rotation-enabled-check
scheduled-rotation-success
using-cmk
periodic-rotation

Security Compliance

secret-unused
using-cmk
no-admin-access
access-keys-rotated

Tagging Compliance

required-tags
secret-has-tags
tag-policy-compliance
resource-tagging

Encryption Compliance

using-cmk
cmk-not-scheduled-deletion
encrypted-volumes
s3-encryption-enabled

Comprehensive Logging

Enable CloudTrail for all regions
Configure log file validation
Centralized log aggregation
Implement retention policies

Proactive Alerting

Alerts for rotation failures
Monitor unusual access patterns
Alert on permission changes
Track secret lifecycle events

Performance Monitoring

Monitor API latency and errors
Track secret usage patterns
Analyze cost optimization
Monitor cache hit rates

Exam Strategy Tip

Remember: All Secrets Manager API calls are automatically logged to CloudTrail, providing complete audit trails. Use CloudWatch metrics to monitor rotation success/failure and usage patterns. AWS Config rules help ensure compliance with security policies.

Back to Integration Next: Service Limitations