By default, Eventarc encrypts customer content at rest. Eventarc handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Eventarc. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key life cycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Eventarc resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Customer-managed encryption keys are stored as software keys, in a Cloud HSM cluster, or externally using Cloud External Key Manager.
What is protected with CMEK
You can configure CMEK to encrypt the event messages that pass through the following Eventarc Advanced resources:
MessageBus—An Eventarc Advanced busPipeline—An Eventarc Advanced pipelineGoogleApiSource—An Eventarc Advanced resource which represents a subscription to Google API events for a particular bus
For more information, see the Eventarc Advanced overview.
When you enable CMEK for a resource, it protects the data associated with the resource in that region by using an encryption key that only you can access.
Cloud KMS and Eventarc are regionalized services. The region for the Cloud KMS key and the protected Eventarc Advanced resource must be the same.
Before you begin
Before using this feature in Eventarc, you must perform the following actions:
Console
-
Enable the Cloud KMS and Eventarc APIs.
- Create a key ring.
- Create a key for a specified key ring.
gcloud
- Update
gcloudcomponents.gcloud components update
- Enable the Cloud KMS and Eventarc APIs for
the project that will store your
encryption keys.
gcloud services enable cloudkms.googleapis.com eventarc.googleapis.com
- Create a key ring.
- Create a key for a specified key ring.
For information on all flags and possible values, run the command with the
--help flag.
Grant the Eventarc service account access to a key
To grant the Eventarc service account access to the Cloud KMS key, add the service account as a principal of the key, and grant the service account the Cloud KMS CryptoKey Encrypter/Decrypter role:
Console
When you enable CMEK for a bus or pipeline using the Google Cloud console, you are prompted to grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the service account. For more information, in this document, see Enable CMEK for a bus or Enable CMEK for a pipeline.
gcloud
gcloud kms keys add-iam-policy-binding KEY_NAME \ --keyring KEY_RING \ --location REGION \ --member serviceAccount:SERVICE_AGENT_EMAIL \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter
Replace the following:
KEY_NAME: the name of the key—for example,my-keyKEY_RING: the name of the key ring—for example,my-keyringREGION: the location of the key—for example,us-central1SERVICE_AGENT_EMAIL: the email address of the service account with theeventarc.serviceAgentroleFor example,
service-PROJECT_NUMBER@gcp-sa-eventarc.iam.gserviceaccount.com. For more information, see Service agents.
Enable CMEK for a bus
When you enable CMEK for an Eventarc Advanced bus, all messages that pass through the bus are fully encrypted with that CMEK key.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
You can create a bus or, if you are updating a bus, click the name of the bus.
In the Bus details page, click Edit.
In the Edit bus page, for Encryption, select Cloud KMS key.
In the Key type list, select a method to manage your keys.
You can manage your keys manually or you can use Autokey which lets you generate key rings and keys on-demand. If the Autokey option is disabled, it isn't yet integrated with the current resource type.
In the Select a Cloud KMS key list, select a key.
Optional: To manually enter the resource name of the key, in the Select a Cloud KMS key list, click Enter key manually, and enter the key name in the specified format.
If prompted, grant the
cloudkms.cryptoKeyEncrypterDecrypterrole to the Eventarc Service Agent.Click Save.
gcloud
Use the
gcloud beta eventarc message-buses update
command to enable CMEK for your bus:
gcloud beta eventarc message-buses update BUS_NAME \ --location=REGION \ --crypto-key=KEY
Replace the following:
BUS_NAME: the ID or fully qualified identifier of your busREGION: a supported Eventarc Advanced locationKEY: the fully qualified Cloud KMS key name in the formatprojects/PROJECT_NAME/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAMEThe
REGIONof the key must match the location of the bus to be protected.
Verify Cloud KMS usage
Verify that the bus is now CMEK-compliant.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
Click the name of the bus that you have protected using CMEK.
On the Bus details page, the Encryption status indicates the customer-managed encryption key in use. You can click the key to go to it in the Security Command Center.
Otherwise, the status message is
Event messages encrypted using Google-managed encryption keys.
gcloud
Use the
gcloud beta eventarc message-buses describe
command to describe your bus:
gcloud beta eventarc message-buses describe BUS_NAME \ --location=REGION
The output should be similar to the following:
cryptoKeyName: projects/PROJECT_ID/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAME name: projects/PROJECT_ID/locations/REGION/messageBuses/BUS_NAME updateTime: '2022-06-28T17:24:56.365866104Z'
The cryptokeyName value shows the Cloud KMS key used for the
bus.
Disable CMEK for a bus
You can disable the CMEK protection associated with a bus. The events that are delivered through the bus are still protected by Google-owned and Google-managed encryption keys.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
Click the name of the bus.
In the Bus details page, click Edit.
On the Edit bus page, for Encryption, select Google-managed encryption key.
Click Save.
gcloud
Use the
gcloud beta eventarc message-buses update
command to disable CMEK for your bus:
gcloud beta eventarc message-buses update BUS_NAME \ --location=REGION \ --clear-crypto-key
Enable CMEK for a pipeline
When you enable CMEK for an Eventarc Advanced pipeline, all messages that pass through the pipeline are fully encrypted with that CMEK key.
Console
In the Google Cloud console, go to the Eventarc > Pipelines page.
You can create a pipeline or, if you are updating a pipeline, click the name of the pipeline.
In the Pipeline details page, click Edit.
In the Edit pipeline page, for Encryption, select Cloud KMS key.
In the Key type list, select a method to manage your keys.
You can manage your keys manually or you can use Autokey which lets you generate key rings and keys on-demand. If the Autokey option is disabled, it isn't yet integrated with the current resource type.
In the Select a Cloud KMS key list, select a key.
Optional: To manually enter the resource name of the key, in the Select a Cloud KMS key list, click Enter key manually, and enter the key name in the specified format.
If prompted, grant the
cloudkms.cryptoKeyEncrypterDecrypterrole to the Eventarc Service Agent.Click Save.
gcloud
Use the
gcloud beta eventarc pipelines update
command to enable CMEK for a pipeline:
gcloud beta eventarc pipelines update PIPELINE_NAME \ --location=REGION \ --crypto-key=KEY
Replace the following:
PIPELINE_NAME: the ID or fully qualified identifier of your pipelineREGION: a supported Eventarc Advanced locationKEY: the fully qualified Cloud KMS key name in the formatprojects/PROJECT_NAME/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAMEThe
REGIONof the key must match the location of the pipeline to be protected.
Verify Cloud KMS usage
Verify that the pipeline is now CMEK-compliant.
Console
In the Google Cloud console, go to the Eventarc > Pipelines page.
Click the name of the pipeline that you have protected using CMEK.
On the Pipeline details page, the Encryption status indicates the customer-managed encryption key in use. You can click the key to go to it in the Security Command Center.
Otherwise, the status message is
Event messages encrypted using Google-managed encryption keys.
gcloud
Use the
gcloud beta eventarc pipelines describe
command to verify CMEK for your pipeline:
gcloud beta eventarc pipelines describe PIPELINE_NAME \ --location=REGION
The output should be similar to the following:
createTime: '2022-06-28T18:05:52.403999904Z' cryptoKeyName: projects/PROJECT_ID/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAME destinations: ... name: projects/PROJECT_ID/locations/REGION/pipelines/PIPELINE_NAME uid: 5ea277f9-b4b7-4e7f-a8e0-6ca9d7204fa3 updateTime: '2022-06-28T18:09:18.650727516Z'
The cryptokeyName value shows the Cloud KMS key used for the
pipeline.
Disable CMEK for a pipeline
You can disable the CMEK protection associated with a pipeline. The events that are delivered through the pipeline are still protected by Google-owned and Google-managed encryption keys.
Console
In the Google Cloud console, go to the Eventarc > Pipelines page.
Click the name of the pipeline.
In the Pipeline details page, click Edit.
On the Edit pipeline page, for Encryption, select Google-managed encryption key.
Click Save.
gcloud
Use the
gcloud beta eventarc pipelines update
command to disable CMEK for your pipeline:
gcloud beta eventarc pipelines update PIPELINE_NAME \ --location=REGION \ --clear-crypto-key
Enable CMEK for Google API sources
When you enable CMEK for a GoogleApiSource resource, all messages that are
collected for that resource are fully encrypted with the CMEK key.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
You can create a bus or, if you are updating a bus, click the name of the bus.
In the Bus details page, click Edit.
To add a message source, click Add source.
If a message source already exists, you must first delete it and then add a new message source.
In the Add message source pane, for the Google API message provider, accept the default of
google-api-source.For Encryption, select Cloud KMS key and do the following:
In the Key type list, select a method to manage your keys.
You can manage your keys manually or you can use Autokey which lets you generate key rings and keys on-demand. If the Autokey option is disabled, it isn't yet integrated with the current resource type.
In the Select a Cloud KMS key, select a key.
You must select a region before you can view your customer-managed keys.
Optional: To manually enter the resource name of the key, in the Select a Cloud KMS key list, click Enter key manually, and enter the key name in the specified format.
If prompted, grant the
cloudkms.cryptoKeyEncrypterDecrypterrole to the Eventarc Service Agent.
Click Create.
This enables the automatic collection of events coming directly from Google sources, and all event messages are fully encrypted with the CMEK key.
Only events from resources in the same Google Cloud project as the
GoogleApiSourceare published. For more information, see Publish events from Google sources.Click Save.
gcloud
Use the
gcloud beta eventarc google-api-sources update
command to enable CMEK for your GoogleApiSource resource:
gcloud beta eventarc google-api-sources update GOOGLE_API_SOURCE_NAME \ --location=REGION \ --crypto-key=KEY
Replace the following:
GOOGLE_API_SOURCE_NAME: the ID or fully qualified identifier of yourGoogleApiSourceresourceREGION: a supported Eventarc Advanced locationKEY: the fully qualified Cloud KMS key name in the formatprojects/PROJECT_NAME/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAMEThe
REGIONof the key must match the location of the resource to be protected.
Verify Cloud KMS usage
Verify that the resource is now CMEK-compliant.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
Click the name of the bus whose message source you have protected using a Cloud KMS key.
In the Bus details page, click Edit.
The key that is encrypting your message source should be listed. You can click the key to go to it in the Security Command Center.
Otherwise, the Encryption status message is
Event messages encrypted using Google-managed encryption keys.
gcloud
Use the
gcloud beta eventarc google-api-sources describe
command to verify CMEK for your GoogleApiSource resource:
gcloud beta eventarc google-api-sources describe GOOGLE_API_SOURCE_NAME \ --location=REGION
The output should be similar to the following:
createTime: '2022-06-28T18:05:52.403999904Z' cryptoKeyName: projects/PROJECT_ID/locations/REGION/keyRings/RING_NAME/cryptoKeys/KEY_NAME destination: projects/PROJECT_ID/locations/REGION/messageBuses/BUS_NAME name: projects/PROJECT_ID/locations/REGION/googleApiSources/GOOGLE_API_SOURCE_NAME uid: 5ea277f9-b4b7-4e7f-a8e0-6ca9d7204fa3 updateTime: '2022-06-28T18:09:18.650727516Z'
The cryptokeyName value shows the Cloud KMS key used for the
pipeline.
Disable CMEK for Google API sources
You can disable the CMEK protection associated with Google API sources. The
events that are collected through the GoogleApiSource resource are still
protected by Google-owned and Google-managed encryption keys.
Console
In the Google Cloud console, go to the Eventarc > Bus page.
Click the name of the bus whose message source you have protected using CMEK.
In the Bus details page, click Edit.
To delete the message source that is encrypted by a Cloud KMS key, click Delete resource.
If necessary, re-add the message source.
gcloud
Use the
gcloud beta eventarc google-api-sources update
command to disable CMEK for your GoogleApiSource resource:
gcloud beta eventarc google-api-sources update GOOGLE_API_SOURCE_NAME \ --location=REGION \ --clear-crypto-key
Apply a CMEK organization policy
Eventarc is integrated with two organization policy constraints to help ensure CMEK usage across an organization:
constraints/gcp.restrictNonCmekServicesis used to require CMEK protection.constraints/gcp.restrictCmekCryptoKeyProjectsis used to limit which Cloud KMS keys are used for CMEK protection.
This integration lets you specify the following encryption compliance requirements for Eventarc resources in your organization:
Considerations when applying organization policies
Before applying any CMEK organization policies, you should be aware of the following.
Prepare for a propagation delay
After you set or update an organization policy, it can take up to 15 minutes for the new policy to take effect.
Consider existing resources
Existing resources are not subject to newly created organization policies. For example, an organization policy does not retroactively apply to existing pipelines. Those resources are still accessible without a CMEK and, if applicable, are still encrypted with existing keys.
Verify required permissions to set an organization policy
The permission to set or update the organization policy might be difficult to acquire for testing purposes. You must be granted the Organization Policy Administrator role, which can only be granted at the organization level (rather than the project or folder level).
Although the role must be granted at the organization level, it is still possible to specify a policy that only applies to a specific project or folder.
Require CMEKs for new Eventarc resources
You can use the constraints/gcp.restrictNonCmekServices constraint to require
that CMEKs be used to protect new Eventarc resources in an
organization.
If set, this organization policy causes all resource creation requests without a specified Cloud KMS key to fail.
After you set this policy, it applies only to new resources in the project. Any existing resources without Cloud KMS keys applied continue to exist and are accessible without issue.
Console
In the Google Cloud console, go to the Organization policies page.
Using the Filter, search for the following constraint:
constraints/gcp.restrictNonCmekServicesIn the Name column, click Restrict which services may create resources without CMEK.
Click Manage Policy.
On the Edit policy page, under Policy source, select Override parent's policy.
Under Rules, click Add a rule.
In the Policy values list, select Custom.
In the Policy type list, select Deny.
In the Custom values field, enter the following:
is:eventarc.googleapis.comClick Done, and then click Set policy.
gcloud
Create a temporary file
/tmp/policy.yamlto store the policy:name: projects/PROJECT_ID/policies/gcp.restrictNonCmekServices spec: rules: - values: deniedValues: - is:eventarc.googleapis.com
Replace
PROJECT_IDwith the ID of the project where you are applying this constraint.Run the
org-policies set-policycommand:gcloud org-policies set-policy /tmp/policy.yaml
To verify that the policy is successfully applied, you can try to create an Eventarc Advanced pipeline in the project. The process fails unless you specify a Cloud KMS key.
Restrict Cloud KMS keys for an Eventarc project
You can use the constraints/gcp.restrictCmekCryptoKeyProjects constraint to
restrict the Cloud KMS keys that you can use to protect a resource in
an Eventarc project.
For example, you can specify a rule similar to the following: "For applicable
Eventarc resources in projects/my-company-data-project,
Cloud KMS keys used in this project must come from
projects/my-company-central-keys OR projects/team-specific-keys."
Console
In the Google Cloud console, go to the Organization policies page.
Using the Filter, search for the following constraint:
constraints/gcp.restrictCmekCryptoKeyProjectsIn the Name column, click Restrict which projects may supply KMS CryptoKeys for CMEK.
Click Manage Policy.
On the Edit policy page, under Policy source, select Override parent's policy.
Under Rules, click Add a rule.
In the Policy values list, select Custom.
In the Policy type list, select Allow.
In the Custom values field, enter the following:
under:projects/KMS_PROJECT_IDReplace
KMS_PROJECT_IDwith the ID of the project where the Cloud KMS keys you want to use are located.For example,
under:projects/my-kms-project.Click Done, and then click Set policy.
gcloud
Create a temporary file
/tmp/policy.yamlto store the policy:name: projects/PROJECT_ID/policies/gcp.restrictCmekCryptoKeyProjects spec: rules: - values: allowedValues: - under:projects/KMS_PROJECT_ID
Replace the following
PROJECT_ID: the ID of the project where you are applying this constraint.KMS_PROJECT_ID: the ID of the project where the Cloud KMS keys you want to use are located.
Run the
org-policies set-policycommand:gcloud org-policies set-policy /tmp/policy.yaml
To verify that the policy is successfully applied, you can try to create an Eventarc Advanced pipeline using a Cloud KMS key from a different project. The process will fail.
Disabling and enabling Cloud KMS keys
A key version stores the cryptographic key material that you use to encrypt, decrypt, sign, and verify data. You can disable this key version so that data that was encrypted with the key can't be accessed.
When Eventarc cannot access Cloud KMS keys,
event routing fails with FAILED_PRECONDITION errors and event
delivery stops. You can enable a key in the Disabled state so that the
encrypted data can be accessed again.
Disable Cloud KMS keys
To prevent Eventarc from using the key to encrypt or decrypt your event data, do any of the following:
- We recommend disabling the key version you have configured for the bus or pipeline. This affects only the Eventarc Advanced bus or pipeline that is associated with the specific key.
- Optional: Revoke the
cloudkms.cryptoKeyEncrypterDecrypterrole from the Eventarc service account. This affects all the project's Eventarc resources that support events encrypted using CMEK.
Although neither operation guarantees instantaneous access revocation, Identity and Access Management (IAM) changes generally propagate faster. For more information, see Cloud KMS resource consistency and Access change propagation.
Re-enable Cloud KMS keys
To resume event delivery and routing, restore access to Cloud KMS.
Audit logging and troubleshooting
Cloud KMS produces audit logs when keys are enabled, disabled, or used by Eventarc Advanced resources to encrypt and decrypt messages. For more information, see the Cloud KMS audit logging information.
To resolve issues that you might encounter when using externally managed keys through Cloud External Key Manager (Cloud EKM), see Cloud EKM error reference.
Pricing
The bus integration does not incur additional costs beyond the key operations, which are billed to your Google Cloud project. The use of CMEK for a pipeline incurs charges for access to the Cloud KMS service based on Pub/Sub pricing.
For more information on the most current pricing information, see Cloud KMS Pricing.