This page describes how to configure and manage customer-managed encryption keys (CMEK) for the Log Router to meet your organization's compliance needs.
CMEK for the Log Router is configured at the Google Cloud organization level. It applies to all Cloud projects and folders contained by the Google Cloud organization.
Overview
By default, Cloud Logging encrypts customer content stored at rest. Data ingested by Logging is encrypted using key-encryption keys, a process known as envelope encryption. Access to your logging data requires access to those key-encryption keys, which Google manages for you without any actions on your part.
Your organization might have regulatory, compliance-related, or advanced encryption requirements that our default encryption at rest doesn't provide. To meet your organization's requirements, instead of Google managing the key encryption keys that protect your data, you can configure CMEK to control and manage your own encryption.
For specific information about CMEK, including its advantages and limitations, see Customer-managed encryption keys.
For information about using CMEK on logs that are stored in Cloud Logging, see Configure CMEK for logs storage.
Prerequisites
To get started with enabling CMEK for Log Router, complete the following steps:
Install the Google Cloud CLI, then initialize it by running the following command:
gcloud init
This guide provides instructions using the Google Cloud CLI.
Identify the organization for which you want to enable CMEK.
Create or identify the Google Cloud project in which you want to run Cloud KMS.
Verify that the Google Cloud organization that contains the Cloud project in which you want to run Cloud KMS grants you an IAM role with the following permissions:
logging.settings.get
logging.settings.update
or with the following permissions:
logging.cmekSettings.get
logging.cmekSettings.update
We recommend that you have the Logs Configuration Writer role, which contains the necessary permissions.
Enable the Cloud KMS API for the Cloud project that runs Cloud KMS.
Create a key ring and keys for the Cloud project that runs Cloud KMS.
The Log Router lets you use a key from any region as a single organization may have data routed to multiples regions. If all, or the majority, of the data in the organization is restricted to one region, then we recommend that you use a key whose region matches the regional scope of your data.
Identify the required parameters below; in the samples on this page, the following variables are used to indicate Google Cloud resource metadata:
- ORGANIZATION_ID is the unique numeric identifier of the Google Cloud organization for which you are enabling CMEK
- KMS_PROJECT_ID is the unique alphanumeric identifier, composed of your Cloud project name and a randomly assigned number, of the Cloud project running Cloud KMS
- KMS_KEY_NAME is the Cloud KMS key's
resource name. It is formatted like this:
projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY
For information about locating resource identifiers, see Identifying projects and Getting your organization ID.
Enable CMEK for an organization
After you've completed the prerequisite steps, follow these instructions to enable CMEK for your Google Cloud organization.
Determine the service account ID
To configure CMEK at the organization level, you need to get the service-account ID associated with the organization for which CMEK will apply. Run the following command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Issue a GET request to obtain the service-account ID associated with the Google Cloud organization for which you want to enable CMEK:
curl -H "Authorization: Bearer AUTH_TOKEN" \ https://logging.googleapis.com/v2/organizations/ORGANIZATION_ID/settings
gcloud
gcloud logging settings describe --organization=ORGANIZATION_ID
Running this command generates a service account for the organization, if
one doesn't exist already, and returns the ID in the serviceAccountId
field:
serviceAccountId: "SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com"
You need to run this provisioning process only once per resource. Running this
command multiple times returns the same value for the serviceAccountId
field.
Assign the Encrypter/Decrypter role
To use CMEK, give the service account permission to use your Cloud KMS by assigning the Cloud KMS CryptoKey Encrypter/Decrypter role to the service account:
API
- Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials. For instructions, see API authentication.
Create a JSON file that contains the following information:
{ "policy": { "bindings": { "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": "serviceAccount:SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com" }, } }
Use
cURL
to call the Cloud KMS API with aPOST setIamPolicy
request:curl -X POST --data-binary @JSON_FILE_NAME.json \ -H "Authorization: Bearer OAUTH2_TOKEN" \ -H "Content-Type: application/json" \ "https://cloudkms.googleapis.com/v1/KEY_RESOURCE:setIamPolicy"
gcloud
gcloud kms keys add-iam-policy-binding \ --project=KMS_PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --location=KMS_KEY_LOCATION \ --keyring=KMS_KEY_RING \ KMS_KEY
Set the variables in the command as follows:
Replace SERVICE_ACCOUNT_ID with the
serviceAccountId
value that you determined in the previous step.Replace the other variables with the values you determined in the prerequisite steps:
- Replace KMS_PROJECT_ID with the ID of the Cloud project that is running Cloud KMS.
- Replace KMS_KEY_LOCATION with the region of the Cloud KMS key.
- Replace KMS_KEY_RING with the Cloud KMS key ring's name.
- Replace KMS_KEY with the Cloud KMS key's name.
Console
- Open the Cloud Key Management Service Keys browser in the Google Cloud console.
Open the Cloud KMS Keys browser Click on the name of the key ring that contains the desired key.
Select the checkbox for the desired key.
The Permissions tab becomes available.
In the Add members dialog, specify the email address of the Logging service account you are granting access.
In the Select a role drop down, select Cloud KMS CryptoKey Encrypter/Decrypter.
Click Add.
Configure the Cloud KMS key
To finish enabling CMEK, add the Cloud KMS key name to your organization. Run the following command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following information:
{ "kms_key_name": "KMS_KEY_NAME" }
Issue a PATCH request to update
kms_key_name
to be associated with the Google Cloud organization for which you want to enable CMEK:curl -X PATCH \ -H "Authorization: Bearer AUTH_TOKEN \ -H "Content-Type: application/json" \ --data-binary @JSON_FILE_NAME https://logging.googleapis.com/v2/organizations/ORGANIZATION_ID/settings?update_mask="kms_key_name"
gcloud
gcloud logging settings update \ --organization=ORGANIZATION_ID --kms-key-name=KMS_KEY_NAME
Verify key enablement
To verify that you've successfully enabled CMEK for your organization, run the following command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Issue a GET request to obtain the CMEK settings associated with the Google Cloud organization for which you want to verify key enablement:
curl -H "Authorization: Bearer AUTH_TOKEN" \ https://logging.googleapis.com/v2/organizations/ORGANIZATION_ID/settings { "kmsKeyName": "KMS_KEY_NAME", "serviceAccountId": "SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com" }
gcloud
gcloud logging settings describe --organization=ORGANIZATION_ID
Running this command returns the Cloud KMS key name:
kmsKeyName: KMS_KEY_NAME serviceAccountId: SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com
If the kmsKeyName
field is populated, then CMEK is enabled for your
organization.
Manage your Cloud KMS key
The following sections explain how to change, revoke access for, or disable your Cloud KMS key.
Change your Cloud KMS key
To change the Cloud KMS key associated with your organization, create a key and update the CMEK settings for the organization with the new Cloud KMS key name.
Run the following command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following information:
{ "kms_key_name": "NEW_KMS_KEY_NAME" }
Issue a PATCH request to update
kms_key_name
:curl -X PATCH \ -H "Authorization: Bearer AUTH_TOKEN \ -H "Content-Type: application/json" \ --data-binary @JSON_FILE_NAME https://logging.googleapis.com/v2/organizations/ORGANIZATION_ID/settings?update_mask="kms_key_name"
gcloud
gcloud logging settings update \ --organization=ORGANIZATION_ID --kms-key-name=NEW_KMS_KEY_NAME
Revoke access to the Cloud KMS key
To revoke Logging's access to the Cloud KMS key at any time, remove the configured service account's IAM permission for that key.
If you remove Logging's access to a key, it can take up to one hour for the change to take effect.
Run the following command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following information:
revoke.json: { "policy": { "bindings": { "role": "roles/cloudkms.cryptoKeyEncrypterDecrypter", "members": }, } }
Issue a POST request:
curl -X POST --data-binary @revoke.json -H "Authorization: Bearer ${OAUTH_TOKEN}" -H "Content-Type: application/json" "https://cloudkms.googleapis.com/v1/{$KEY}:setIamPolicy"
gcloud
gcloud kms keys remove-iam-policy-binding \ --project=KMS_PROJECT_ID \ --member serviceAccount:SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --location=KMS_KEY_LOCATION \ --keyring=KMS_KEY_RING \ KMS_KEY
Disable CMEK for your organization
Disabling CMEK for your organization removes CMEK policy enforcement for future operations only; any previously applied configurations remain intact.
To disable CMEK for your organization, run this command:
API
Get an authorization access token from the OAuth 2.0 Playground. Configure the playground to use your own OAuth credentials.
Create a JSON file that contains the following information:
{ "kms_key_name": "" }
Issue a PATCH request to update
kms_key_name
:curl -X PATCH \ -H "Authorization: Bearer AUTH_TOKEN \ -H "Content-Type: application/json" \ --data-binary @JSON_FILE_NAME https://logging.googleapis.com/v2/organizations/ORGANIZATION_ID/settings?update_mask="kms_key_name"
gcloud
gcloud logging settings update --organization=ORGANIZATION_ID --clear-kms-key
If you want to destroy your key, see Destroying and restoring key versions.
Impact of Cloud KMS key rotation
The Log Router doesn't automatically rotate the encryption key for temporary disaster recovery files when the Cloud KMS key associated with the Google Cloud organization rotates. Existing recovery files continue to use the key version with which they were created. New recovery files use the current primary key version.
Route logs to supported destinations
If you use log sinks to route logs to a supported destination, consider the following:
Cloud Storage supports CMEK for routing logs. Use the instructions on this page to properly encrypt your data. For further details, see Using customer-managed encryption keys.
If, when routing logs data to Cloud Storage, data is lost due to key unavailability, you can retroactively copy logs in bulk to Cloud Storage. For details, see Copy log entries.
BigQuery, by default, encrypts customer content stored at rest. For details, see Protecting data with Cloud Key Management Service keys.
Pub/Sub, by default, encrypts customer content stored at rest. For details, see Configuring message encryption.
External key considerations
When you use a Cloud EKM key, Google has no control over the availability of your externally managed key in the external key-management partner system.
If an externally managed key is unavailable, Cloud Logging continues retrying to access the key and buffer the incoming log data only for up to one hour. After an hour, if Cloud Logging is still unable to access the externally managed key, Cloud Logging begins dropping the data.
See the Cloud External Key Manager documentation for more considerations, and potential alternatives, when using external keys.
Limitations
The following are known limitations of CMEK for the Log Router.
Organization-level configuration only
CMEK for the Log Router can currently only be configured for Google Cloud organizations. Once configured, CMEK propagates to all Cloud projects and folders in the Google Cloud organization.
Disaster recovery file unavailability
A Cloud KMS key is considered available and accessible by Logging if both of the following are true:
- The key is enabled.
- The Logging service account has encrypt and decrypt permissions on the key.
If Logging loses access to the Cloud KMS key, Logging is unable to write temporary disaster-recovery files and, for users, queries will stop functioning. Query performance may remain degraded even after key access is restored.
Routing logs to Cloud Storage might also be affected because the Log Router will be unable to write temporary files required to facilitate the routing. If an error is encountered while encrypting or decrypting data, then a notification is sent to the Cloud project that contains the Cloud KMS key.
Client library availability
Logging client libraries don't provide methods for configuring CMEK.
Quotas
For details on Logging usage limits, see Quotas and limits.
Troubleshoot configuration errors
The following sections describe how to find and mitigate common CMEK configuration errors.
As you configure CMEK, the Cloud project containing the Cloud KMS key is notified of related issues. As examples, updates fail if KMS_KEY_NAME is invalid, if the associated service account doesn't have the required Cloud Key Management Service CryptoKey Encrypter/Decrypter role, or if access to the key is disabled.
Identify configuration errors
To find and view the CMEK configuration errors, do the following:
Navigate to the Google Cloud console:
Select the Cloud project that contains the encryption key.
You can identify the project id by running the following command:
gcloud logging settings describe --organization=ORGANIZATION_ID
Running this command returns the following:
kmsKeyName: projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY serviceAccountId: SERVICE_ACCOUNT_ID@gcp-sa-logging.iam.gserviceaccount.com
The value of the
kmsKeyName
field includes the project ID of the key.Select the Activity tab in the Google Cloud console.
Check for Cloud Logging Cloud Logging CMEK Configuration Error notifications.
Each error notification contains steps that you can take to mitigate the issue:
Error Recommendation Cryptographic key permission denied The Logging service account associated with your Cloud project doesn't have sufficient IAM permissions to operate on the specified Cloud KMS key. Follow the instructions in the error or in Grant encryption/decryption permission to grant the proper IAM permission. Cryptographic key is disabled The specified Cloud KMS key was disabled. Follow the instructions in the error to re-enable the key. Cryptographic key was destroyed The specified Cloud KMS key was destroyed. Follow the instructions in the error or in Configure the Cloud KMS key to configure CMEK encryption with a different key.
Verify key usability
To verify the key's usability, run the following command to list all keys:
gcloud kms keys list \ --location=KMS_KEY_LOCATION \ --keyring=KMS_KEY_RING
This command returns information about each key in a tabular format. The first line of the output is a list of column names:
NAME PURPOSE ...
Verify that the Cloud KMS key is listed in the command's output as
ENABLED
, and that the purpose of the key is symmetric encryption: the
PURPOSE
column must contain ENCRYPT_DECRYPT
and the PRIMARY_STATE
column
must contain ENABLED
.
If necessary, create a new key.
Verify permissions configuration
Service accounts that are associated with the organization's CMEK settings must have the Cloud KMS CryptoKey Encrypter/Decrypter role for the configured key.
To list the key's IAM policy, run the following command:
gcloud kms keys get-iam-policy KMS_KEY_NAME
If necessary, add the service account that contains the Cloud KMS CryptoKey Encrypter/Decrypter role to the key.