AWS CloudHSM now provides audit logging for management commands executed on your CloudHSM instances. These audit logs are generated on each of your HSM instances, and then delivered by CloudHSM to Amazon CloudWatch on your behalf. You can learn more about monitoring AWS CloudHSM Audit Logs in Amazon CloudWatch Logs here.

If you provisioned your AWS CloudHSM cluster prior to January 20, 2018, you will need to configure a service-linked role to enable delivery of your HSM instance audit logs to Amazon CloudWatch. Instructions on creating the service-linked role for CloudHSM are here. Other than enabling the service-linked role for CloudHSM, no action is necessary on your part to begin receiving the logs.

CloudHSM audit logs complement the two existing types of CloudHSM logs. The first is AWS CloudTrail logging, which records the API calls you make to the AWS CloudHSM service such as create-cluster or delete-hsm. The second is AWS CloudHSM Client logging, which records operations you perform on your CloudHSM instances using the CloudHSM client.

Please note this feature is for the new CloudHSM only, and does not apply to CloudHSM Classic.