Using Cloud Monitoring with Cloud KMS

Cloud Monitoring can be used to monitor operations performed onresources in Cloud Key Management Service.

This topic provides:

  • an example for monitoring when a key version is scheduled for destruction
  • information about monitoring other Cloud KMS resources andoperations

Before you begin

If you haven't already done so,set up a Google Cloud project that has the Cloud Key Management Service API enabled.These steps are documented in theCloud KMS Quickstart.

Create a counter metric

Use thegcloud logging metrics create command to create a counter metricthat will monitor any occurrence of the scheduled destruction of a key version.

gcloud logging metrics create key_version_destruction \  --description "Key version scheduled for destruction" \  --log-filter "resource.type=cloudkms_cryptokeyversion \  AND protoPayload.methodName=DestroyCryptoKeyVersion"

You can list your counter metrics using thegcloud logging metrics listcommand:

gcloud logging metrics list

For more information about creating a counter metric, including via theGoogle Cloud console and the Monitoring API, seeCreating a counter metric.

Create an alerting policy

You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.

  1. In the Google Cloud console, go to the Alerting page:

    Go toAlerting

    If you use the search bar to find this page, then select the result whose subheading isMonitoring.

  2. If you haven't created your notification channels and if you want to be notified, then clickEdit Notification Channels and add your notification channels. Return to theAlerting page after you add your channels.
  3. From theAlerting page, selectCreate policy.
  4. To select the metric, expand theSelect a metric menu and then do the following:
    1. To limit the menu to relevant entries, enterkey_version into the filter bar. If there are no results after you filter the menu, then disable theShow only active resources & metrics toggle.
    2. For theResource type, selectGlobal.
    3. For theMetric category, selectLogs-Based Metric.
    4. For theMetric, selectlogging/user/key_version_destruction.
    5. SelectApply.
  5. ClickNext.
  6. The settings in theConfigure alert trigger page determine when the alert is triggered. Complete this page with the settings in the following table.
    Configure alert trigger page
    Field
    Value
    Alert triggerAny time series violates
    Threshold positionAbove threshold
    Threshold value0
    Advanced Options: Retest windowNo retest
  7. ClickNext.
  8. Optional: To add notifications to your alerting policy, clickNotification channels. In the dialog, select one or more notification channels from the menu, and then clickOK.
  9. Optional: Update theIncident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
  10. Optional: ClickDocumentation, and then add any information that you want included in a notification message.
  11. ClickAlert name and enter a name for the alerting policy.
  12. ClickCreate Policy.
For more information, seeAlerting overview.

To test your new notification,schedule a key version for destruction andthen check your email to see if the notification was sent.

This alert will be triggered each time a key version has been scheduled fordestruction. Note that the alert will get automatically resolved (even thoughthe key version remains scheduled for destruction), so there will be two emailnotifications, one for the scheduled destruction, and one for the alert beingresolved.

For more information about alert policies, seeIntroduction to alerting. Tolearn how to turn on, turn off, edit, copy, or delete an alert policy, seeManaging policies.

For information about different types of notifications, seeNotification options.

Note: If you only wanted to test a notification for scheduling destruction of akey version, but you do not want it actually destroyed,restore the keyversion that you scheduled for destruction.

Monitoring administrative activities vs. data access

The scheduled destruction of a key version is anadministrator activity.Administrator activities are logged automatically. If you want to create analert fordata access of a Cloud KMS resource, e.g. monitoringwhen a key is used for encryption, you need toenable Data Access logs andthen create an alert policy as described in this topic.

For more information about logging of Cloud KMS administrativeactivities and data access, seeUsing Cloud Audit Logs withCloud KMS.

Rate quota metrics

Cloud KMS supports the following rate quota metrics:

  • cloudkms.googleapis.com/crypto_requests
  • cloudkms.googleapis.com/external_kms_requests
  • cloudkms.googleapis.com/hsm_asymmetric_requests
  • cloudkms.googleapis.com/hsm_symmetric_requests
  • cloudkms.googleapis.com/read_requests
  • cloudkms.googleapis.com/write_requests

For information about monitoring these quotas using Cloud Monitoring, seeSet up quota alerts and monitoring.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.