Using Cloud Audit Logging with Cloud KMS

Cloud Audit Logging can be used to generate logs for all operations performed in Cloud KMS.

What is logged

Audit log types

There are two types of audit logs:

  • Admin activity logs, which are entries for operations that modify the configuration or metadata of a project, and

  • Data access logs, which are entries for operations that read a configuration or metadata; or create, read, or modify user-provided data. Within data access logs, there are several log entry types:

    • "ADMIN_READ": reads of metadata or configuration information. (Admin Activity logs already record writes of metadata.)
    • "DATA_READ": reads of user-provided data.
    • "DATA_WRITE": writes of user-provided data.

The following table summarizes which operations correspond to each log entry type in Cloud KMS:

Log entry type Operations
Admin activity
  • cloudkms.projects.locations.keyRings.create
  • cloudkms.projects.locations.keyRings.cryptoKeys.create
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.create
  • cloudkms.projects.locations.keyRings.cryptoKeys.patch
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.patch
  • cloudkms.projects.locations.keyRings.cryptoKeys.updatePrimaryVersion
  • cloudkms.projects.locations.keyRings.setIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.setIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.destroy
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.restore
Data access ADMIN_READ
  • cloudkms.projects.locations.list
  • cloudkms.projects.locations.keyRings.list
  • cloudkms.projects.locations.keyRings.cryptoKeys.list
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list
  • cloudkms.projects.locations.get
  • cloudkms.projects.locations.keyRings.get
  • cloudkms.projects.locations.keyRings.cryptoKeys.get
  • cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.get
  • cloudkms.projects.locations.keyRings.getIamPolicy
  • cloudkms.projects.locations.keyRings.cryptoKeys.getIamPolicy
  • cloudkms.projects.locations.keyRings.testIamPermissions
  • cloudkms.projects.locations.keyRings.cryptoKeys.testIamPermissions
DATA_READ
  • cloudkms.projects.locations.keyRings.cryptoKeys.encrypt
  • cloudkms.projects.locations.keyRings.cryptoKeys.decrypt
DATA_WRITE None

Configuring logging

Default logging

Admin activity is logged by default, and does not count towards your log ingestion quota.

Data access isn't logged by default in Cloud KMS. Data access operations are high volume and count toward your log ingestion quota.

Enabling data access logs

To enable data access operations logs, update the AuditConfig object for service cloudkms.googleapis.com. The AuditConfig object is part of the IAM policy associated with projects and individual resources, like KeyRings and CryptoKeys. You can read and write policies using GetIamPolicy and SetIamPolicy, as well as with gcloud commands such as gcloud kms keys get-iam-policy and gcloud kms keys set-iam-policy.

When you update a policy, first retrieve the policy using getIamPolicy() or the gcloud equivalent, update the policy, and then write the updated policy using setIamPolicy() or the gcloud equivalent. Use the etag value when setting the policy only if the retrieved policy contains an etag value. Cloud Identity Access Management uses an etag property in Cloud IAM policies to prevent a conflict if two or more independent processes attempt to write a policy. To learn more about the etag property in Cloud IAM policies, see Granting access to team members.

If you want to enable logs for Encrypt and Decrypt operations with no exempted members, first retrieve the existing policy, and then add the following audit log configuration:

{
  "service": "cloudkms.googleapis.com"
  "auditLogConfigs": [
    {
      "logType": "DATA_READ",
    },
    ...
  ]
},

To enable data access logs for a single key with the gcloud command-line tool, first retrieve the policy by running:

gcloud kms keys get-iam-policy \
projects/[PROJECT_ID]/locations/[LOCATION]/keyRings/[KEY_RING]/cryptoKeys/[KEY]

Then update the policy with the desired audit configuration. For example:

{
   "auditConfigs": [
     {
       "auditLogConfigs": [
         {
           "logType": "DATA_READ"
         },
         {
           "logType": "ADMIN_READ"
         },
         {
           "logType": "DATA_WRITE"
         }
       ],
       "service": "cloudkms.googleapis.com"
     }
   ],
   "bindings": [
     {
       "members": [
         "allUsers"
       ],
       "role": "roles/owner"
     }
   ]
}

You can then set the policy by running:

gcloud kms keys set-iam-policy \
projects/[PROJECT_ID]/locations/[LOCATION/keyRings/[KEY_RING]/cryptoKeys/[KEY] \
[POLICY_FILE]

Learn more about configuring data access operations logs in Cloud Audit Logging documentation.

Format of logs

Cloud KMS logs follow the same format as other Cloud Audit Logging logs, using the AuditLog object. Logs contain

  • the user who made the request, including the email address of that user
  • the resource name on which the request was made, and
  • the outcome of the request.

Accessing logs

Permissions

Any user of the project can view admin activity logs. To view data access logs, a user needs at least the Owner IAM role, or the Private Logs Viewer IAM role. See the section on using IAM with Cloud KMS on how to configure these.

Viewing logs

You can view Cloud Audit Logs for your project in the Activity Stream on the Cloud Platform Console, as well as more detailed logs in the Logs Viewer. Further instructions on filtering logs in the Logs Viewer can be found in the Cloud Audit Logging documentation.

If desired, you can also export logs.

Monitor your resources on the go

Get the Google Cloud Console app to help you manage your projects.

Send feedback about...

Cloud KMS Documentation