Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Cloud Key Management Service (Cloud KMS) displays metrics about the encryption keys thatprotect your data at rest. These metrics show how your resources are protectedand whether your keys align with recommended practices. The metrics focus mostlyon customer-managed encryption keys (CMEKs) used to protect resources inCMEK-integrated services. This guide shows you how to view your project'sencryption metrics and helps you understand what they mean for yourorganization's security posture.

Important: Throughout this document,resources refers toresources inCMEK-integrated services that support key usagetracking. For example, "a key that doesn'tprotect any resources" is a key that isn't used as a CMEK to protect a trackableresource. Such a key might protect other data, including customer data innon-trackable resources in a CMEK-integrated service or data in a customapplication.

For more information about recommended practices for using CMEKs to protect yourresources in Google Cloud, seeBest practices for usingCMEKs.

Before you begin

1. To get the permissions that you need to view encryption metrics, ask your administrator to grant you theCloud KMS Viewer (roles/cloudkms.viewer) IAM role on project or a parent resource. For more information about granting roles, seeManage access to projects, folders, and organizations.

   You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

2. Grant theCloud KMS Organization Service Agent role to theCloud KMS Organization Service Agent:

   gcloud organizations add-iam-policy-bindingORGANIZATION_ID \    --member=serviceAccount:service-org-ORGANIZATION_ID@gcp-sa-cloudkms.iam.gserviceaccount.com \    --role=roles/cloudkms.orgServiceAgent

   If you skip this step, theEncryption metrics dashboard might display incomplete information. For example, when you view encryption metrics forPROJECT_A, resources inPROJECT_B that are protected by a key inPROJECT_A wouldn't be included in the metrics.

View encryption metrics

To view encryption metrics, follow these steps:

1. In the Google Cloud console, go to theKey Management page.

   Go to Key Management

2. Click theOverview tab, and then clickEncryption metrics.

3. Use the project picker to select a project. The dashboard shows the followingencryption metrics for resources and keys in that project:

   • TheResources in this project by protection type andResourceprotection type by service charts showCMEK coverage summarymetrics.
   • TheAlignment to key usage recommended practices chart showskeyalignment summary metrics; you can also view key alignmentdetails.

View key alignment details

To view a list of keys in the project and see which recommended practices theyare aligned with, follow these steps:

1. On theEncryption metrics page, locate theAlignment to key usagerecommended practices chart.

2. Optional: To focus only on keys created by Cloud KMS Autokey, click theCloud KMS (Autokey) tab. To focus only on keys created manually, clicktheCloud KMS (Manual) tab.

3. To view a list of keys and see whether they are aligned with eachrecommended practice, click the section that represents the category, andthen clickView.

   TheAlignment to key usage recommended practices page listsCloud KMS keys in the selected project and shows whether each isAligned orNot aligned with each recommendation. To learn more aboutwhat it means for a key to beAligned orNot aligned for arecommendation, seeKey alignment in this document.

4. Optional: To filter the list of keys, enter your search terms in thefilter_listFilter box and thenpress enter. For example, you can filter the list to only show keys that areAligned with theGranularity recommendation.

Understand encryption metrics

The encryption metrics dashboard uses the Cloud Asset Inventory service to gatherinformation about your resources and Cloud KMS keys. The dashboardcalculates metrics on demand using the latest available data.

The dashboard shows two main categories of metrics: CMEK coverage and keyalignment. Both metrics show a summary view with aggregated information and adetailed view with a tabular list of resources or keys.

CMEK coverage

CMEK coverage metrics in theResources in this project by protection typeandResource protection type by service charts show how many of yourresources are protected by CMEKs. This metric looks at resources for which CMEKintegration and Cloud KMS key tracking are supported. Resources aregrouped into the following categories:

• Google Managed Encryption: resources protected by Google defaultencryption.
• Cloud KMS (Manual): resources protected by a CMEK that you create andmanage manually.
• Cloud KMS (Autokey): resources protected by a CMEK provisioned andassigned by the Autokey service.

CMEK coverage metrics are shown for the project as a whole and broken downby the service associated with each of the protected resources.You can use this information to assess how many of the resources in the selectedproject are using Google default encryption when they could use CMEKs.

For a list of supported resource types, seeTracked resource types.

Key alignment

Key alignment metrics in theAlignment to key usage recommended practiceschart show whether your Cloud KMS keys align with the followingrecommended security practices:

• Rotation period: the key has an appropriate rotation period set.
• Granularity: the key protects resources that are in one project andbelong to one service.
• Separation of duties: only service accounts have permission to encryptand decrypt with the key.
• Location: the key only protects resources that are in the same cloudlocation.

Key alignment metrics include all Cloud KMS symmetric encryption keysin the selected project, even if they aren't used to protect resources in aCMEK-integrated service. These metrics are assessed for keys, not key versions.For example, a key with no active key versions can still show asAligned forany or all of these recommended practices.

The following sections provide more information about each of these practices.

Granularity

Keygranularity refers to the scale and scope of a key's intended usage. Keyscan be highly granular, protecting only a single resource, or they can be lessgranular, protecting many resources. Using keys that are less granular increasesthe potential impact of security incidents including unauthorized access andaccidental data loss.

In general, we recommend the following granularity strategy:

• Each key protects resources in a single location—for example,us-central1.
• Each key protects resources in a single service or product—for example, BigQuery.
• Each key protects resources in a single Google Cloud project.

This recommendation might not be the ideal granularity strategy for yourorganization. For most organizations, this strategy provides a good balancebetween the overhead of maintaining many highly granular keys andthe potential risks of using less granular keys that are shared between manyprojects, services, or resources.

Keys created with Cloud KMS Autokey follow this recommendation.

Each key in your project is consideredAligned with this recommendation ifthe resources that it protects are all located within the same location,service, and project. A key is consideredNot aligned with thisrecommendation if the resources that it protect are located in two or morelocations, services, or projects.

If your keys are not aligned with this recommendation, consider whetheradjusting your key granularity strategy is right for your organization.For more information about recommended practices for key granularity, seeChoose a key granularity strategy.

Location

In most cases, Cloud KMS keys used with CMEK-integrated services arerequired to be in the exact same Google Cloud region or multi-regionwhere the resources they protect are located. However, a few services allowexceptions to this rule.

Each key in your project is consideredAligned with this recommendation ifthe resources that it protects are all located within the same location as thekey—for example, a key inus-central1 that protects resources inus-central1. Regional keys can protect zonal resources within the sameregion—for example, a key inus-central1 that protects resources inus-central1a.

A key is consideredNot aligned with this recommendation if it protects aresource in a different region or multi-region—for example, a key in theus multi-region that protects a Compute Engine disk in theus-central1region.

If your keys are not aligned with this recommendation, consider moving orreplacing your resources or keys so that they are in the same location.For more information about locations, seeCloud KMSlocations.

Rotation

Rotating your keys regularly is an important aspect of information security. Forexample, some standards require you to rotate your keys on a certain schedule.Keys that protect sensitive workloads may need to be rotated more frequently.Cloud KMS lets you set up automatic key rotation for your keys to helpensure that your chosen schedule is followed.

Each key in your project is consideredAligned with this recommendation ifit has a rotation schedule set. A key is consideredNot aligned if it is notset up for automatic key rotation.

To enable automatic rotation, you can do any of the following:

• Manually create a new key with a custom rotationschedule.
• Use Cloud KMS Autokey when you create a new resource.Keys created by Cloud KMS Autokey have a default rotation period of oneyear, but the rotation period can be changed after the key is created.
• Update an existing key to add a rotation schedule.

Separation of duties

Separation of duties is a security practice that aims to avoid giving users orother principals too many permissions. In the context of Cloud KMS andCMEK integrations, this means that the users who maintain yourCloud KMS keys shouldn't have permissions to use those keys, and theprincipals that use the keys to encrypt and decrypt your resources don't haveother permissions on the keys.

Each key in your project is consideredAligned with this recommendation ifboth of the following are true:

• The service account for the protected resource is the only principal withthecloudkms.cryptoKeyVersions.useToEncrypt andcloudkms.cryptoKeyVersions.useToDecrypt permissions on the key.
• The service account for the protected resource doesn't have a role thatgrants key administration permissions on the key, includingroles/cloudkms.admin,roles/editor, androles/owner.

A key is consideredNot aligned if the service account has administrationpermissions or another principal has encryption or decryption permissions.

If your keys are not aligned with this recommendation, review theIAM roles and permissions on your keys and otherCloud KMS resources and remove role and permission grants that are notneeded. For more information about Cloud KMS roles and the permissionsthat they include, seePermissions and roles. For moreinformation about viewing and removing IAM roles onCloud KMS resources, seeAccess control with IAM.

Limitations

TheEncryption metrics dashboard has the following limitations:

• The dashboard shows metrics for one project at a time.
• The dashboard has a limit of 10,000 resources or keys per project. If yourproject contains more than 10,000 keys or if the keys in your projectprotect more than 10,000 resources, only partial metrics are shown.
• The dashboard relies on data from theCloud Asset Inventory service. If any of the data inthe Cloud Asset Inventory is out of date, the dashboard may show inaccurate orincomplete information.
• The dashboard only considers symmetric keys for key alignment and CMEKcoverage.
• The dashboard only considersresources that support key usage tracking.
• The key alignment metrics don't distinguish between keys that are in activeuse as CMEKs protecting trackable resources, keys that are in active use forother use cases, and keys that have no active key versions. For example,your key alignment data might include keys that are used for customapplications.
• When key alignment data includes keys that protect non-trackable resourcesand custom applications, alignment details for these keys might not beaccurate. For example, a key that is used in multiple custom applicationsacross multiple projects might show asAligned with the key granularityrecommendations even though it isn't.

What's next

• Learn more aboutkey usage tracking.
• Learn more aboutbest practices for customer-managed encryptionkeys.