[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-08-18。"],[[["\u003cp\u003eKey Access Justifications provides control over access to at-rest Customer Data encrypted by customer-managed keys, allowing you to view, approve, or deny key access requests based on provided justification codes.\u003c/p\u003e\n"],["\u003cp\u003eGoogle personnel may require access to encryption keys for reasons such as data backup, support request resolution, system troubleshooting, ensuring data integrity, compliance, and maintaining system reliability.\u003c/p\u003e\n"],["\u003cp\u003eKey Access Justifications works with Cloud EKM, Cloud HSM, and Cloud KMS software keys and provides a reason each time these keys are accessed, for both service-based access and direct API access.\u003c/p\u003e\n"],["\u003cp\u003eKey Access Justifications is enabled by default when you create a new Assured Workloads folder with a control package that includes it, but can take up to 24 hours to enable with external key managers.\u003c/p\u003e\n"],["\u003cp\u003eKey Access Justifications applies to operations on encrypted data and the transition from data-at-rest to data-in-use, and it integrates with Access Approval, ensuring that key access is justified and authorized for signed access approval requests.\u003c/p\u003e\n"]]],[],null,["# Overview of Key Access Justifications\n=====================================\n\nThis page provides an overview of Key Access Justifications. Key Access Justifications is a part of\nGoogle's long-term commitment to transparency, user trust, and customer\nownership of their data. Key Access Justifications directs Google systems to generate access\n[justification codes](/assured-workloads/key-access-justifications/docs/justification-codes)\nfor each cryptographic operation involving enrolled Cloud Key Management Service\n(Cloud KMS) keys.\n\nKey Access Justifications works alongside\n[Access Approval](/assured-workloads/access-approval/docs/overview)\nand [Access Transparency](/assured-workloads/access-transparency/docs/overview) in the\nfollowing way: Access Approval lets you authorize requests from Google\npersonnel to access [Customer Data](/terms/data-processing-addendum),\nAccess Transparency helps you discover information about when Customer Data is\naccessed, and Key Access Justifications provides key access control for all interactions with\nat-rest Customer Data that is encrypted by a customer-managed key. Together,\neach of these products provide access management capabilities that give you\ncontrol over and context for administrative requests to access Customer Data.\n\nOverview\n--------\n\nKey Access Justifications lets you set a policy on Cloud Key Management Service (Cloud KMS) keys to\nview, approve, and deny key access requests depending on the provided\n[justification code](/assured-workloads/key-access-justifications/docs/justification-codes).\nFor select external key management partners, you can configure Key Access Justifications\npolicies outside of Google Cloud to be exclusively enforced by the external key\nmanager rather than by Cloud KMS.\n\nDepending on the\n[Assured Workloads control package](/assured-workloads/docs/control-packages)\nyou choose, the following Key Access Justifications features are available:\n\n- For select [regional control packages](/assured-workloads/docs/control-packages#regional-controls), *Key Access Transparency* logs these justification codes in your Cloud KMS [audit logs](/kms/docs/audit-logging).\n- For select regional, [regulatory](/assured-workloads/docs/control-packages#regulatory-controls), or [sovereign](/assured-workloads/docs/control-packages#sovereign-controls) control packages, Key Access Justifications lets you set a policy on your keys to approve or deny key access requests depending on the provided justification code. Some regional data boundaries provide this feature in addition to Key Access Transparency.\n- For select sovereign control packages, you can use a supported external key management partners to configure Key Access Justifications policies outside of Google Cloud. These policies are exclusively enforced by the external key manager rather than by Cloud KMS.\n\nIn addition to these features, the Assured Workloads control package\nyou choose will also determine which of the following Cloud KMS key\ntypes are available:\n\n- [Cloud EKM keys](/kms/docs/ekm#overview)\n- [Cloud HSM keys](/assured-workloads/key-access-justifications/docs/configure-kaj)\n- [Cloud KMS software keys](/assured-workloads/key-access-justifications/docs/configure-kaj)\n\nHow encryption at rest works\n----------------------------\n\nGoogle Cloud encryption at rest works by encrypting your data stored on\nGoogle Cloud with an encryption key that lives outside the service where the\ndata is stored. For example, if you encrypt data in Cloud Storage, the\nservice only stores the encrypted information you have stored, whereas the key\nused to encrypt that data is stored in Cloud KMS (if you are using\ncustomer-managed encryption keys (CMEK)) or in your external key manager (if you\nare using Cloud EKM).\n\nWhen you use a Google Cloud service, you want your applications to\ncontinue working as described, and this will require your data to be decrypted.\nFor example, if you run a query using BigQuery, the BigQuery\nservice needs to decrypt your data to be able to analyze it. BigQuery\naccomplishes this by making a decryption request to the key manager to get the\nrequired data.\n\nWhy would my keys be accessed?\n------------------------------\n\nYour encryption keys are most often accessed by automated systems while\nservicing your own requests and workloads on Google Cloud.\n\nIn addition to customer-initiated accesses and automated system accesses, a\nGoogle employee might need to initiate operations which use your encryption keys\nfor the following reasons:\n\n- **Back up your data**: Google might need to access your encryption keys to\n back up your data for disaster recovery reasons.\n\n- **Resolve a support request**: A Google employee might need to decrypt your\n data to fulfill the contractual obligation of providing support.\n\n- **Manage and troubleshoot systems**: Google personnel can initiate operations\n which use your encryption keys to perform technical debugging needed for a\n complex support request or investigation. Access might also be needed to\n remediate storage failure or data corruption.\n\n- **Ensure data integrity and compliance, and protect against fraud and abuse**:\n Google might need to decrypt data for the following reasons:\n\n - To ensure the safety and security of your data and accounts.\n - To make sure that you are using Google services in compliance with the [Google Cloud Terms of Service](/terms).\n - To investigate complaints by other users and customers, or other signals of abusive activity.\n - To verify that Google Cloud services are being used in accordance with applicable regulatory requirements, such as anti-money laundering regulations.\n- **Maintain system reliability**: Google personnel can request access to\n investigate that a suspected service outage doesn't affect you. Also, access\n might be requested to ensure backup and recovery from outages or system\n failures.\n\nFor the list of justification codes, see\n[justification reason codes for Key Access Justifications](/assured-workloads/key-access-justifications/docs/justification-codes).\n\nManaging access to your keys\n----------------------------\n\nKey Access Justifications provides a reason every time your Cloud KMS-managed keys\nor externally managed keys are accessed. When your key is used for any\ncryptographic operation, you receive a justification for both service-based\naccess (for supported services) and direct API access.\n\nAfter your key projects are enrolled in Key Access Justifications, you immediately begin\nreceiving justifications for every key access for new keys. For previously\nexisting keys, you will begin receiving justifications for every key access\nwithin 24 hours.\n\nEnabling Key Access Justifications\n----------------------------------\n\nKey Access Justifications can only be used with Assured Workloads, and is enabled by\ndefault when you create a new Assured Workloads folder configured for\na control package that includes Key Access Justifications. See the\n[Assured Workloads overview](/assured-workloads/docs/overview) for more\ninformation.\n| **Note:** It can take up to 24 hours to enable Key Access Justifications with external key managers after you've created your Assured Workloads folder. Therefore, we recommend that you don't reject key access requests in production environments during this time. There is no delay when using non-external Cloud KMS keys.\n\nKey Access Justifications exclusions\n------------------------------------\n\nKey Access Justifications only applies to the following situations:\n\n- **Operations on encrypted data**: For the fields within a given service that are encrypted by a customer-managed key, refer to the service's documentation.\n- **The transition from data-at-rest to data-in-use**: While Google continues to apply protections to your data-in-use, Key Access Justifications only governs the transition from data-at-rest to data-in-use.\n\nThe following Compute Engine and Persistent Disk features are exempted when used\nwith CMEK:\n\n- [Local SSDs](/compute/docs/disks#localssds)\n- [Automatic restart](/compute/docs/instances/setting-vm-host-options)\n- [Machine image operations](/compute/docs/machine-images/create-machine-images)\n\nKey Access Justifications with Access Approval\n----------------------------------------------\n\nFor workloads with Access Approval enabled with a custom signing key,\nKey Access Justifications will also apply to processing signed access approval requests.\nAccess Approval requests can only be processed if the associated\njustification for the key access associated is also permitted by the key's\nKey Access Justifications policy. When a customer signs an Access Approval request,\nthe associated justification is reflected in the signing request for the\napproval.\n\nAll Customer Data accesses that occur from an approved, signed access approval\nrequest will appear in Access Transparency logs linked to the approval request.\n\nWhat's next\n-----------\n\n- See [which services](/assured-workloads/docs/supported-products) are supported by Assured Workloads for [Sovereign Controls for EU](/assured-workloads/docs/control-packages#eu-sovereignty-controls) and the [list of additional KAJ-supported services](/assured-workloads/key-access-justifications/docs/supported-services).\n- Read how to [view and act on justifications](/assured-workloads/key-access-justifications/docs/view-justifications).\n- Read where you can [get support for Key Access Justifications](/assured-workloads/key-access-justifications/docs/getting-support).\n- Learn [what an Access Approval request looks like](/assured-workloads/access-approval/docs/approval-request-details).\n- Learn about the [core principles upon which controls that prevent unauthorized administrative access are based](/assured-workloads/cloud-provider-access-management/docs/administrative-access)."]]