Using Stackdriver Monitoring with Cloud KMS

Stackdriver Monitoring can be used to monitor operations performed on resources in Google Cloud Key Management Service.

This topic provides:

  • an example for monitoring when a key version is scheduled for destruction
  • information about monitoring other Cloud KMS resources and operations

Before you begin

If you haven't already done so:

Create a counter metric

Use the gcloud logging metrics create command to create a counter metric that will monitor any occurrence of the scheduled destruction of a key version.

gcloud logging metrics create key_version_destruction \
--description "Key version scheduled for destruction" \
--log-filter "resource.type=cloudkms_cryptokeyversion \
AND protoPayload.methodName=DestroyCryptoKeyVersion"

You can list your counter metrics using the gcloud logging metrics list command:

gcloud logging metrics list

For more information about creating a counter metric, including via the Google Cloud Platform Console and the Monitoring API, see Creating a counter metric.

Create an alerting policy

Create an alert policy to send an email whenever a key is scheduled for destruction.

  1. In the Cloud Platform Console, go to Stackdriver > Monitoring > Alerting > Create a Policy:

    Go to Create a Policy

  2. Click Add Condition.

  3. In the Select condition type page, to the right of Metric threshold, click Select.

  4. In the Add Metric Threshold Condition page, under Target, for Resource type, select Log Metrics.

  5. Under Configuration:

    • For If Metric, select user/key_configuration_destruction, which is the name of the counter metric that you created earlier.
    • For Condition, select above.
    • For Threshold, enter 0.
    • For For, select most recent value.
      Your Add Metric Threshold Condition page should look similar to the following:

    Create new condition

  6. Click Save condition.

  7. To the right of the condition that you just created, click Edit.

    Edit condition

  8. Change Condition Name to KMS key version scheduled for destruction and then click Save condition. The condition name will appear in the subject line in the email notification.

  9. Click Add Notification.

  10. Select Email and enter the email address to receive the notification.

  11. Click Add Documentation. Type in the message to use for the notification. For example:

    A key version has been scheduled for destruction.
  12. Under Name this policy, provide a name, such as Key version scheduled for destruction. Your Create new alerting policy page should look similar to the following:

    Create new alert policy page

  13. Click Save policy.

To test your new notification, schedule a key version for destruction and then check your email to see if the notification was sent.

This alert will be triggered each time a key has been scheduled for destruction. Note that the alert will get automatically resolved (even though the key version remains scheduled for destruction), so there will be two email notifications, one for the scheduled destruction, and one for the alert being resolved.

For more information about alert policies, see Introduction to Alerting.

For information about different types of notifications, see Notification options.

Monitoring admin activities vs. data access

The scheduled destruction of a key version is an admin activity. Admin activities are logged automatically. If you want to create an alert for data access of a Cloud KMS resource, e.g. monitoring when a key is used for encryption, you need to enable data access logs and then create an alert policy as described in this topic.

For more information about logging of Cloud KMS admin activities and data access, see Using Cloud Audit Logging with Cloud KMS.

Send feedback about...

Cloud KMS Documentation