# Monitor AWS Private CA resources
Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Private CA and your other AWS solutions. AWS provides the following monitoring tools to watch AWS Private CA, report when something is wrong, and take automatic actions when appropriate:
+ *Amazon CloudWatch* monitors your AWS resources and the applications you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *Amazon CloudWatch Logs* enables you to monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ *Amazon EventBridge* is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. EventBridge delivers a stream of real-time data from your own applications, Software-as-a-Service (SaaS) applications, and AWS services and routes that data to targets such as Lambda. This enables you to monitor events that happen in services, and build event-driven architectures. For more information, see the [Amazon EventBridge User Guide](https://docs.aws.amazon.com/eventbridge/latest/userguide/).
The following topics describe AWS cloud-monitoring tools available for use with AWS Private CA.
# AWS Private CA CloudWatch metrics
Amazon CloudWatch is a monitoring service for AWS resources. You can use CloudWatch to collect and track metrics, set alarms, and automatically react to changes in your AWS resources. CloudWatch metrics are published at least once.
AWS Private CA supports the following CloudWatch metrics.
****
| Metric | Description |
| --- | --- |
| CRLGenerated | A certificate revocation list (CRL) was generated. This metric applies only to a private CA. |
| MisconfiguredCRLBucket | The S3 bucket specified for the CRL is not correctly configured. Check the bucket policy. This metric applies only to a private CA. |
| Time | The time in milliseconds between an issuance request and the completion (or failure) of issuance. This metric applies only to the IssueCertificate operation. |
| Success | A certificate was successfully issued. This metric applies only to the IssueCertificate operation. |
| Failure | An operation failed. This metric applies only to the IssueCertificate operation. |
| CertificateAuthority | The total number of private certificate authorities in your account in the current Region. This metric includes CAs in all states (ACTIVE, DISABLED, CREATING, etc.) and can be used to monitor CA inventory and track usage against account quotas. |
| CertificatesPerCA | The total number of certificates issued by a specific private certificate authority since its creation. This metric increments with each successful certificate issuance and is not decremented when certificates expire or are revoked. This metric applies to individual private CAs and can be used to track certificate issuance volume and capacity planning. This metric is only published in the owner account and is not available in accounts that the CA is shared to. |
**Note**
For any private CAs created prior to March 26, 2026, the `CertificateAuthority` and `CertificatesPerCA` metrics might take until April 30, 2026 to be available in CloudWatch.
For more information about CloudWatch metrics, see the following topics:
+ [Using Amazon CloudWatch Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/working_with_metrics.html)
+ [Creating Amazon CloudWatch Alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html)
# Monitor AWS Private CA with CloudWatch Events
You can use [Amazon CloudWatch Events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/) to automate your AWS services and respond automatically to system events such as application availability issues or resource changes. Events from AWS services are delivered to CloudWatch Events in near-real time. You can write simple rules to indicate which events are of interest to you and the automated actions to take when an event matches a rule. CloudWatch Events are published at least once. For more information, see [Creating a CloudWatch Events Rule That Triggers on an Event](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html).
CloudWatch Events are turned into actions using Amazon EventBridge. With EventBridge, you can use events to trigger targets including AWS Lambda functions, AWS Batch jobs, Amazon SNS topics, and many others. For more information, see [What Is Amazon EventBridge?](https://docs.aws.amazon.com/eventbridge/latest/userguide/what-is-amazon-eventbridge.html)
## Success or failure when creating a private CA
These events are triggered by the [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) operation.
**Success**
On success, the operation returns the ARN of the new CA.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Creation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T19:14:56Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"success"
}
}
```
**Failure**
On failure, the operation returns an ARN for the CA. Using the ARN, you can call [DescribeCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html) to determine the status of the CA.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Creation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T19:14:56Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"failure"
}
}
```
## Success or failure when issuing a certificate
These events are triggered by the [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) operation.
**Success**
On success, the operation returns the ARNs of the CA and of the new certificate.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Certificate Issuance",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T19:57:46Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
],
"detail":{
"result":"success"
}
}
```
**Failure**
On failure, the operation returns a certificate ARN and the ARN of the CA. With the certificate ARN, you can call [GetCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_GetCertificate.html) to view the reason for the failure.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Certificate Issuance",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T19:57:46Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
],
"detail":{
"result":"failure"
}
}
```
## Success when revoking a certificate
This event is triggered by the [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) operation.
No event is sent if the revocation fails or if the certificate has already been revoked.
****Success****
On success, the operation returns the ARNs of the CA and of the revoked certificate.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Certificate Revocation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-05T20:25:19Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
],
"detail":{
"result":"success"
}
}
```
## Success or failure when generating a CRL
These events are triggered by the [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html) operation, which should result in the creation of a certificate revocation list (CRL).
**Success**
On success, the operation returns the ARN of the CA associated with the CRL.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T21:07:08Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"success"
}
}
```
**Failure 1 – CRL could not be saved to Amazon S3 because of a permission error**
Check your Amazon S3 bucket permissions if this error occurs.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-07T23:01:25Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"failure",
"reason":"Failed to write CRL to S3. Check your S3 bucket permissions."
}
}
```
**Failure 2 – CRL could not be saved to Amazon S3 because of an internal error**
Retry the operation if this error occurs.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-07T23:01:25Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"failure",
"reason":"Failed to write CRL to S3. Internal failure."
}
}
```
**Failure 3 – AWS Private CA failed to create a CRL**
To troubleshoot this error, check your [CloudWatch metrics](https://docs.aws.amazon.com/privateca/latest/APIReference/PcaCloudWatch.html).
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA CRL Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-07T23:01:25Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
],
"detail":{
"result":"failure",
"reason":"Failed to generate CRL. Internal failure."
}
}
```
## Success or failure when creating a CA audit report
These events are triggered by the [CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html) operation.
**Success**
On success, the operation returns the ARN of the CA and the ID of the audit report.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Audit Report Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T21:54:20Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"audit_report_ID"
],
"detail":{
"result":"success"
}
}
```
**Failure**
An audit report can fail when AWS Private CA lacks `PUT` permissions on your Amazon S3 bucket, when encryption is enabled on the bucket, or for other reasons.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Audit Report Generation",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T21:54:20Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"audit_report_ID"
],
"detail":{
"result":"failure"
}
}
```
# Logging AWS Private Certificate Authority API calls using AWS CloudTrail
AWS Private Certificate Authority is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Private CA. CloudTrail captures API calls and signing operations for AWS Private CA as events. The calls captured include calls from the AWS Private CA console and code calls to the AWS Private CA API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Private CA. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to AWS Private CA, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
## AWS Private CA information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in AWS Private CA, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for AWS Private CA, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/configure-sns-notifications-for-cloudtrail.html)
+ [Receiving CloudTrail log files from multiple regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All AWS Private CA actions are logged by CloudTrail and are documented in the [AWS Private CA API reference](https://docs.aws.amazon.com/privateca/latest/APIReference/Welcome.html). For example, calls to the `ImportCACertificate`, `IssueCertificate` and `CreateAuditReport` actions generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## AWS Private CA management events
AWS Private CA integrates with CloudTrail to record API actions made by a user, a role, or an AWS service in AWS Private CA. You can use CloudTrail to monitor AWS Private CA API requests in real time and store logs in Amazon Simple Storage Service, Amazon CloudWatch Logs, and Amazon CloudWatch Events. AWS Private CA supports logging the following actions and operations as events in CloudTrail log files:
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [CreateCertificateAuthorityAuditReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthorityAuditReport.html)
+ [CreatePermission](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreatePermission.html)
+ [DeleteCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeleteCertificateAuthority.html)
+ [DeletePermission](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html)
+ [DeletePolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePolicy.html)
+ [DescribeCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthority.html)
+ [DescribeCertificateAuthorityReport](https://docs.aws.amazon.com/privateca/latest/APIReference/API_DescribeCertificateAuthorityReport.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [GetPolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_API_GetPolicy.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [ListCertificateAuthorities](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html)
+ [ListPermissions](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html)
+ [ListTags](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListTags.html)
+ [PutPolicy](https://docs.aws.amazon.com/privateca/latest/APIReference/API_PutPolicy.html)
+ [RestoreCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RestoreCertificateAuthority.html)
+ [RevokeCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_RevokeCertificate.html)
+ [TagCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_TagCertificateAuthority.html)
+ [UntagCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UntagCertificateAuthority.html)
+ [UpdateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_UpdateCertificateAuthority.html)
+ `GenerateOCSPResponse` - Triggered when AWS Private CA generates a OCSP response.
+ `SignCertificate` - Generated when your client calls [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html).
+ `SignOCSPResponse` - Generated when AWS Private CA signs an OCSP response.
+ `GenerateCRL` - Generated when AWS Private CA generates a certificate revocation list (CRL).
+ `SignCACSR` - Generated when AWS Private CA signs a certificate authority (CA) certificate signing request (CSR).
+ `SignCRL` - Generated when AWS Private CA signs a CRL.
## Example AWS Private CA events
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following are examples of AWS Private CA CloudTrail events.
**Example 1: Management event, `IssueCertificate`**
The following example shows a CloudTrail log entry that demonstrates the `IssueCertificate` action.
```
{
"version":"0",
"id":"event_ID",
"detail-type":"ACM Private CA Certificate Issuance",
"source":"aws.acm-pca",
"account":"account",
"time":"2019-11-04T19:57:46Z",
"region":"region",
"resources":[
"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
],
"detail":{
"result":"success"
}
}
```
**Example 2: Management event, `ImportCertificateAuthorityCertificate`**
The following example shows a CloudTrail log entry that demonstrates the `ImportCertificateAuthorityCertificate` action.
```
{
"eventVersion":"1.05",
"userIdentity":{
"type":"IAMUser",
"principalId":"account",
"arn":"arn:aws:iam::account:user/name",
"accountId":"account",
"accessKeyId":"key_ID"
},
"eventTime":"2018-01-26T21:53:28Z",
"eventSource":"acm-pca.amazonaws.com",
"eventName":"ImportCertificateAuthorityCertificate",
"awsRegion":"region",
"sourceIPAddress":"IP_address",
"userAgent":"agent",
"requestParameters":{
"certificateAuthorityArn":"arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566",
"certificate":{
"hb":[
45,
45,
...10
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":1257,
"limit":1257,
"capacity":1257,
"address":0
},
"certificateChain":{
"hb":[
45,
45,
...10
],
"offset":0,
"isReadOnly":false,
"bigEndian":true,
"nativeByteOrder":false,
"mark":-1,
"position":1139,
"limit":1139,
"capacity":1139,
"address":0
}
},
"responseElements":null,
"requestID":"request_ID",
"eventID":"event_ID",
"eventType":"AwsApiCall",
"recipientAccountId":"account"
}
```