# AWS CloudHSM audit log reference AWS CloudHSM records HSM management commands in audit log events. Each event has an operation code (`Opcode`) value that identifies the action that occurred and its response. You can use the `Opcode` values to search, sort, and filter the logs. The following table defines the `Opcode` values in an AWS CloudHSM audit log. | Operation Code (Opcode) | Description | | --- |--- | | **User Login**: These events include the user name and user type | | --- | | CN\$1LOGIN (0xd) | [User login](cloudhsm_mgmt_util-loginLogout.md) | | CN\$1LOGOUT (0xe) | [User logout](cloudhsm_mgmt_util-loginLogout.md) | | CN\$1APP\$1FINALIZE | The connection with the HSM was closed. Any session keys or quorum tokens from this connection were deleted. | | CN\$1CLOSE\$1SESSION | The session with the HSM was closed. Any session keys or quorum tokens from this session were deleted. | | **User Management**: These events include the user name and user type | | --- | | CN\$1CREATE\$1USER (0x3) | [Create a crypto user (CU)](cloudhsm_mgmt_util-createUser.md) | | CN\$1CREATE\$1CO | [Create a crypto officer (CO)](cloudhsm_mgmt_util-createUser.md) | | CN\$1DELETE\$1USER | [Delete a user](cloudhsm_mgmt_util-deleteUser.md) | | CN\$1CHANGE\$1PSWD | [Change a user password](cloudhsm_mgmt_util-changePswd.md) | | CN\$1SET\$1M\$1VALUE | Set [quorum authentication](quorum-auth-chsm-cli.md) (M of N) for a user action | | CN\$1APPROVE\$1TOKEN | Approve a [quorum authentication](quorum-auth-chsm-cli.md) token for a user action | | CN\$1DELETE\$1TOKEN | Delete one or more [quorum tokens](quorum-auth-chsm-cli.md) | | CN\$1GET\$1TOKEN | Request a signing token to initiate a [quorum operation](quorum-auth-chsm-cli.md) | | **Key Management**: These events include the key handle | | --- | | CN\$1GENERATE\$1KEY | [Generate a symmetric key](key_mgmt_util-genSymKey.md) | | CN\$1GENERATE\$1KEY\$1PAIR (0x19) | Generate an asymmetric key pair | | CN\$1CREATE\$1OBJECT | Import a public key (without wrapping) | | CN\$1MODIFY\$1OBJECT | Set a key attribute | | CN\$1DESTROY\$1OBJECT (0x11) | Deletion of a [session key](https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-key-sync.html#concepts-key-sync) | | CN\$1TOMBSTONE\$1OBJECT | Deletion of a [token key](https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-key-sync.html#concepts-key-sync) | | CN\$1SHARE\$1OBJECT | [Share or unshare a key](cloudhsm_mgmt_util-shareKey.md) | | CN\$1WRAP\$1KEY | Export an encrypted copy of a key ([wrapKey](key_mgmt_util-wrapKey.md)) | | CN\$1UNWRAP\$1KEY | Import an encrypted copy of a key ([unwrapKey](key_mgmt_util-unwrapKey.md)) | | CN\$1DERIVE\$1KEY | Derive a symmetric key from an existing key | | CN\$1NIST\$1AES\$1WRAP | Encrypt or decrypt a key with an AES key | | CN\$1INSERT\$1MASKED\$1OBJECT\$1USER | Insert an encrypted key with attributes from another HSM in the cluster. | | CN\$1EXTRACT\$1MASKED\$1OBJECT\$1USER | Wraps/encrypts a key with attributes from the HSM to be sent to another HSM in the cluster. | | **Session Management** | | --- | | CN\$1ENCRYPT\$1SESSION\$1V2 (0x107) | Establishes an authenticated end-to-end encrypted session. | | END\$1MARKER\$1OPCODE (0xffff) | Inserts an end-marker in the audit logs buffer indicating no more loggable commands are allowed on the HSM | | **Back up HSMs** | | --- | | CN\$1BACKUP\$1BEGIN | Begin the backup process | | CN\$1BACKUP\$1END | Completed the backup process | | CN\$1RESTORE\$1BEGIN | Begin restoring from a backup | | CN\$1RESTORE\$1END | Completed the restoration process from a backup | | **Certificate-Based Authentication** | | --- | | CN\$1CERT\$1AUTH\$1STORE\$1CERT | Stores the cluster certificate | | **HSM Instance Commands** | | --- | | CN\$1INIT\$1TOKEN (0x1) | Start the HSM initialization process | | CN\$1INIT\$1DONE | The HSM initialization process has finished | | CN\$1GEN\$1KEY\$1ENC\$1KEY | Generate a key encryption key (KEK) | | CN\$1GEN\$1PSWD\$1ENC\$1KEY (0x1d) | Generate a password encryption key (PEK) | | **HSM crypto commands** | | --- | | CN\$1FIPS\$1RAND | Generate a FIPS-compliant random number[1](#hsm-audit-log-note-1) | [1] Only gets logged for hsm1.medium clusters.