Cloud Monitoring can be used to monitor operations performed on resources in Cloud Key Management Service.
This topic provides:
- an example for monitoring when a key version is scheduled for destruction
- information about monitoring other Cloud KMS resources and operations
Before you begin
If you haven't already done so:
Set up a Google Cloud project that has the Cloud Key Management Service API enabled. These steps are documented in the Cloud KMS Quickstart.
Create a counter metric
gcloud logging metrics create command to create a counter metric
that will monitor any occurrence of the scheduled destruction of a key version.
gcloud logging metrics create key_version_destruction \ --description "Key version scheduled for destruction" \ --log-filter "resource.type=cloudkms_cryptokeyversion \ AND protoPayload.methodName=DestroyCryptoKeyVersion"
You can list your counter metrics using the
gcloud logging metrics list
gcloud logging metrics list
For more information about creating a counter metric, including via the Google Cloud Console and the Monitoring API, see Creating a counter metric.
Create an alerting policy
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition. The general steps for creating an alerting policy that monitors one or more resources are as follows:
- In the Google Cloud Console, go to Monitoring.
- In the Monitoring navigation pane, select notificationsAlerting, and then select Create policy.
- Click Add condition:
- The settings in the Target pane specify the resource and metric to be monitored. Click the text box to enable a menu, and then select logging/user/key_version_destruction. Leave the resource name empty.
- The settings in the Configuration pane of the alerting policy determine
when the alert is triggered.
Complete this pane with the settings in the following table.
Condition triggers if
Any time series violates
most recent value
- Click Add.
- To advance to the notifications section, click Next.
- Optional: To add notifications to your alerting policy, click
Notification channels. In the dialog, select one or more notification
channels from the menu, and then click OK.
If a notification channel that you want to add isn't listed, then click Manage notification channels. You are taken to the Notification channels page in a new browser tab. From this page, you can update the configured notification channels. After you have completed your updates, return to the original tab, click Refresh autorenew, and then select the notification channels to add to the alerting policy.
- To advance to the documentation section, click Next.
- Click Name and enter a name for the alerting policy.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Save.
To test your new notification, schedule a key version for destruction and then check your email to see if the notification was sent.
This alert will be triggered each time a key version has been scheduled for destruction. Note that the alert will get automatically resolved (even though the key version remains scheduled for destruction), so there will be two email notifications, one for the scheduled destruction, and one for the alert being resolved.
For information about different types of notifications, see Notification options.
Monitoring administrative activities vs. data access
The scheduled destruction of a key version is an administrator activity. Administrator activities are logged automatically. If you want to create an alert for data access of a Cloud KMS resource, e.g. monitoring when a key is used for encryption, you need to enable Data Access logs and then create an alert policy as described in this topic.
For more information about logging of Cloud KMS administrative activities and data access, see Using Cloud Audit Logs with Cloud KMS.
Rate quota metrics
Cloud KMS supports the following rate quota metrics:
For information about monitoring these quotas using Cloud Monitoring, see Monitoring quota metrics.