Monitoring Key Usage

Learn how to monitor key usage in Oracle Cloud Infrastructure using log data.

Monitoring the use of keys for encrypt and decrypt operations can be valuable for several use cases, including the following:

Lifecycle management: Understanding when a key was last used is critical for making informed retention decisions. Infrequently used keys, such as those supporting database workloads, might still be operationally important despite limited activity. Extending log retention through OCI Connector Hub enables deeper visibility into historical usage patterns, letting teams make risk-aware decisions about whether to retain, rotate, or retire keys.
Security: Monitoring key usage can alert you to unusual activity.
Monitoring or investigating application behavior: Correlating application behavior with key usage can give you useful information for resolving issues with your applications or improving their performance.

This topic details how you can use Oracle Cloud Infrastructure (OCI) logs to monitor key usage.

Available Logging Data

The OCI Logging Service provides several kinds of logs, including the following:

Audit Logs

Audit Logs: Use audit logs to monitor management operations such as:

Create, update, and delete operations for managing keys and vaults
Rotate operations for keys

Audit logs do not record cryptographic operations such as Decrypt or GenerateDataEncryptionKey (data plane activity), which are instead optionally recorded in Service Logs.

Service Logs

Service Logs must be enabled by the customer to be used. When enabled for Key Management, service logs capture metadata including:

Calling principle (the user, function, or instance that instigates the key operation)
Key OCID
Key version
Operation type (for example, Decrypt)
Timestamp
Vault and compartment details

Important

Service logs don't record sensitive information that would compromise data security for your organization or your customers. See Details for Key Management for complete details on the data that service logs collect for Key Management.

Enabling Service Logs for a Vault

To enable service logs, you need the required IAM permissions. See Details for Logging in the IAM Service documentation for information.

Note that service logs are enabled at the vault level. Repeat the steps in this topic for each regional vault for which you want to enable logging.

See Enabling Logging for a Resource in the Logging Service documentation for more information.

Open the navigation menu and select Observability & Management. Under Logging, select Logs.
Select Enable Service Log.
Configure the log as follows:
- Compartment: Select the compartment containing the vault for which you're enabling logging.
- Service: Key Management
- Resource: Select the vault you want to monitor using service logs.
- Log Category: Crypto Operations.
- Log Name: Enter a name for the log.
Select Enable Logging.

View and Query KMS Logs

Open the navigation menu and select Observability & Management. Under Logging, select Logs.
Navigate to a service log you have created for a vault in the list view of logs. See Getting a Log's Details if you need instructions.
Use the Sort and Filter by time controls to control which log entries display in the Explore Log list of entries. The type column displays the type of crypto operation that the entry represents. For example, an entry for a decrypt operation has the following entry type:
keymanagementservice.vault.crypto.decrypt
The following image shows an example log with a list of log entries:

To see the full details for a log entry, select the arrow at the end of the row for the entry to expand the entry and view a JSON-formatted view of the entry details.

The following image shows an example of the details for a log entry in the JSON format:

An image of a KMS service log entry in the JSON format.

{
  "datetime": 1754361617552,
  "logContent": {
    "data": {
      "clientIpAddress": "<example_ip>",
      "keyVersionId": "ocid1.keyversion.oc1.iad.<example_ocid>",
      "opcRequestId": "<example_request_id>",
      "principalId": "objectstorage-us-ashburn-1/<example_principle>",
      "requestAction": "DECRYPT",
      "statusCode": 200
    },
    "id": "51777c94-e29c-4e78-9121-946c77301f62",
    "oracle": {
      "compartmentid": "ocid1.tenancy.oc1.<example_ocid>",
      "ingestedtime": "2025-08-05T02:40:55.747Z",
      "loggroupid": "ocid1.loggroup.oc1.<example_ocid>",
      "logid": "ocid1.log.oc1.iad.<example_ocid>",
      "tenantid": "ocid1.tenancy.oc1.<example_ocid>"
    },
    "source": "ocid1.vault.oc1.iad.<example_ocid>",
    "specversion": "1.0",
    "subject": "ocid1.key.oc1.iad.<example_ocid>",
    "time": "2025-08-05T02:40:17.552Z",
    "type": "com.oraclecloud.keymanagementservice.vault.crypto.decrypt"
  },
  "regionId": "us-ashburn-1"
}

To search for entries by a custom query, select Actions, then select Explore with Log Search. The Basic Mode for log search is displayed by default and lets you type keywords (such as "encrypt") or unique values or strings (such as a principalId value) into the Custom filters field. You can also select Advanced Mode and use query syntax to search the log. See Getting a Log's Details and Logging Search for more information on searching logs.

Sending Logs to Object Storage or External Platforms Such as SIEM

By default, service logs are stored for 30 days. For long-term retention or external analysis, use Connector Hub to forward logs to target destinations such:

Object Storage
Log Analytics
External targets such as SIEM

See the following topics for more information: