Using Cloud Monitoring with Cloud KMS

Cloud Monitoring can be used to monitor operations performed on resources in Cloud Key Management Service.

This topic provides:

an example for monitoring when a key version is scheduled for destruction
information about monitoring other Cloud KMS resources and operations

Before you begin

If you haven't already done so, set up a Google Cloud project that has the Cloud Key Management Service API enabled. These steps are documented in the Cloud KMS Quickstart.

Create a counter metric

Use the gcloud logging metrics create command to create a counter metric that will monitor any occurrence of the scheduled destruction of a key version.

gcloud logging metrics create key_version_destruction \
  --description "Key version scheduled for destruction" \
  --log-filter "resource.type=cloudkms_cryptokeyversion \
  AND protoPayload.methodName=DestroyCryptoKeyVersion"

You can list your counter metrics using the gcloud logging metrics list command:

gcloud logging metrics list

For more information about creating a counter metric, including via the Google Cloud console and the Monitoring API, see Creating a counter metric.

Create an alerting policy

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

In the Google Cloud console, go to the Alerting page:
Go to Alerting

If you use the search bar to find this page, then select the result whose subheading is Monitoring.
If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
From the Alerting page, select Create policy.
To select the metric, expand the Select a metric menu and then do the following:
1. To limit the menu to relevant entries, enter key_version into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle.
2. For the Resource type, select Global.
3. For the Metric category, select Logs-Based Metric.
4. For the Metric, select logging/user/key_version_destruction.
5. Select Apply.
Click Next.
The settings in the Configure alert trigger page determine when the alert is triggered. Complete this page with the settings in the following table.

Configure alert trigger page
Field
Value

Alert trigger Any time series violates

Threshold position Above threshold

Threshold value 0

Advanced Options: Retest window No retest
Click Next.
Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
Optional: Click Documentation, and then add any information that you want included in a notification message.
Click Alert name and enter a name for the alerting policy.
Click Create Policy.

Configure alert trigger page Field	Value
`Alert trigger`	`Any time series violates`
`Threshold position`	`Above threshold`
`Threshold value`	`0`
`Advanced Options: Retest window`	`No retest`

For more information, see Alerting policies.

To test your new notification, schedule a key version for destruction and then check your email to see if the notification was sent.

This alert will be triggered each time a key version has been scheduled for destruction. Note that the alert will get automatically resolved (even though the key version remains scheduled for destruction), so there will be two email notifications, one for the scheduled destruction, and one for the alert being resolved.

For more information about alert policies, see Introduction to alerting. To learn how to turn on, turn off, edit, copy, or delete an alert policy, see Managing policies.

For information about different types of notifications, see Notification options.

Monitoring administrative activities vs. data access

The scheduled destruction of a key version is an administrator activity. Administrator activities are logged automatically. If you want to create an alert for data access of a Cloud KMS resource, e.g. monitoring when a key is used for encryption, you need to enable Data Access logs and then create an alert policy as described in this topic.

For more information about logging of Cloud KMS administrative activities and data access, see Using Cloud Audit Logs with Cloud KMS.

Rate quota metrics

Cloud KMS supports the following rate quota metrics:

cloudkms.googleapis.com/crypto_requests
cloudkms.googleapis.com/external_kms_requests
cloudkms.googleapis.com/hsm_asymmetric_requests
cloudkms.googleapis.com/hsm_symmetric_requests
cloudkms.googleapis.com/read_requests
cloudkms.googleapis.com/write_requests

For information about monitoring these quotas using Cloud Monitoring, see Monitoring quota metrics.

What's next

Monitor your external key manager usage.