Using Stackdriver Monitoring with Cloud KMS

Stackdriver Monitoring can be used to monitor operations performed on resources in Cloud Key Management Service.

This topic provides:

  • an example for monitoring when a key version is scheduled for destruction
  • information about monitoring other Cloud KMS resources and operations

Before you begin

If you haven't already done so:

Create a counter metric

Use the gcloud logging metrics create command to create a counter metric that will monitor any occurrence of the scheduled destruction of a key version.

gcloud logging metrics create key_version_destruction \
  --description "Key version scheduled for destruction" \
  --log-filter "resource.type=cloudkms_cryptokeyversion \
  AND protoPayload.methodName=DestroyCryptoKeyVersion"

You can list your counter metrics using the gcloud logging metrics list command:

gcloud logging metrics list

For more information about creating a counter metric, including via the Google Cloud Platform Console and the Monitoring API, see Creating a counter metric.

Create an alerting policy

Create an alert policy to send an email whenever a key version is scheduled for destruction.

  1. In the GCP Console, go to Stackdriver > Monitoring > Alerting > Create a Policy:

    Go to Create a Policy

  2. Click Add Condition.

  3. Under Target:

    • Click the edit box under Find resource type and metric.
    • From the dropdown list, select logging/user/key_version_destruction.

      After you select the metric from the dropdown list, the title of the condition is automatically filled in. You can change the title if desired.

  4. Under Configuration:

    • Set Condition triggers if to Any time series violates.
    • Set Condition to is above.
    • For Threshold, enter 0.
    • For For, select most recent value.

      Your Add Metric Threshold Condition page should look similar to the following:

      Create new condition

  5. Click Save.

  6. Under Notifications (optional):

    • Select Email.
    • Enter the email address to receive the notification.
    • Click Add Notification Channel.
  7. Under Documentation (optional):

    • In the edit box under Edit, type in the message to use for the notification. For example:

      A key version has been scheduled for destruction.
      
  8. Under Name this policy, provide a name, such as Key version scheduled for destruction.

    Your Create new alerting policy page should look similar to the following:

    Create new alert policy page

  9. Click Save.

To test your new notification, schedule a key version for destruction and then check your email to see if the notification was sent.

This alert will be triggered each time a key version has been scheduled for destruction. Note that the alert will get automatically resolved (even though the key version remains scheduled for destruction), so there will be two email notifications, one for the scheduled destruction, and one for the alert being resolved.

For more information about alert policies, see Introduction to alerting. To learn how to turn on, turn off, edit, copy, or delete an alert policy, see Managing policies.

For information about different types of notifications, see Notification options.

Monitoring administrative activities vs. data access

The scheduled destruction of a key version is an administrator activity. Administrator activities are logged automatically. If you want to create an alert for data access of a Cloud KMS resource, e.g. monitoring when a key is used for encryption, you need to enable Data Access logs and then create an alert policy as described in this topic.

For more information about logging of Cloud KMS administrative activities and data access, see Using Cloud Audit Logs with Cloud KMS.

Rate quota metrics

Cloud KMS supports the following rate quota metrics:

  • cloudkms.googleapis.com/crypto_requests
  • cloudkms.googleapis.com/hsm_asymmetric_requests
  • cloudkms.googleapis.com/hsm_symmetric_requests
  • cloudkms.googleapis.com/read_requests
  • cloudkms.googleapis.com/write_requests

For information about monitoring these quotas using Stackdriver Monitoring, see Monitoring quota metrics.

Var denne side nyttig? Giv os en anmeldelse af den: