View and act on justifications

This page describes how you can view and act on justifications that Key Access Justifications sends to request access to your encryption keys.

Whenever your information is encrypted or decrypted, Key Access Justifications sends you a justification describing the reason for the access. Software by our Cloud EKM partners enables you to set a policy to automatically approve or deny access based on the content of the justifications. For more information about setting a policy, see the relevant documentation for your chosen key manager. The following partners support Key Access Justifications:

  • Fortanix
  • Thales

Denying access can hinder the ability of Google personnel to help you with a contracted service.

  • Denying access for requests with reasons of CUSTOMER_INITIATED_ACCESS, MODIFIED_CUSTOMER_INITIATED_ACCESS, GOOGLE_INITIATED_SYSTEM_OPERATION, or MODIFIED_GOOGLE_INITIATED_SYSTEM_OPERATION results in your service becoming unavailable.

  • Denying access for requests with the reason of CUSTOMER_INITATED_SUPPORT limits the ability of Google personnel to respond to support tickets on the rare occasion that your support ticket requires access to sensitive customer information (support tickets typically do not require this access and our frontline support personnel do not have this access).

  • Denying access for request with the reason of GOOGLE_INITIATED_SERVICE reduces service availability and reliability and inhibits Google's ability to recover from outages.

The justification reason codes listed in the following section cover different scenarios than the Access Transparency codes, so don't match them.

Viewing justifications in the Google Cloud console

You can also use the Google Cloud console to view the justification Key Access Justifications sends to your external key manager when your data is accessed. In order to access the justification, you first need to enable Cloud Audit Logs with Cloud KMS on the project containing the key used for encryption.

After you have completed the setup, the Cloud Audit Logs also includes the justification used in the external request for cryptographic operations. The justification shows up as part of the Data Access logs on the resource key, in the metadata entries for protoPayload. For more information on these fields, see Understanding audit logs. For more information about using Cloud Audit Logs with Cloud KMS, see Cloud KMS audit logging information.

Note that unlike the justification shared with the external key manager, the justification in the Cloud Audit Logs cannot be used for approving or denying the associated cryptographic operation. Google Cloud logs the justification only after the operation is completed. Therefore, the logs in Google Cloud must be used primarily for record keeping.