This document provides instructions for configuring customer-managed encryption keys (CMEK) for logs stored in log buckets. This document also describes how to manage those keys, and limitations associated with using CMEK.
You can configure CMEK as a default resource setting for an organization or a folder. When configured, Cloud Logging ensures that all new log buckets in the organization or folder are encrypted with a customer-managed key. If you don't supply a key when you create the log bucket, then the default key is used. For more information, see Configure CMEK for Cloud Logging.
OverviewBy default, Cloud Logging encrypts customer content at rest. Logging handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Logging. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Logging resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Note: After a log bucket is created, you can't reconfigure the log bucket to change or remove CMEK. PrerequisitesComplete the following steps:
There are some limitations when using CMEK. Before you create a log bucket with CMEK enabled, review the Limitations.
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Configure the Google Cloud project where you plan to create your keys:
To get the permissions that you need to create keys, ask your administrator to grant you the Cloud KMS Admin (roles/cloudkms.admin) IAM role on the project or a parent resource. For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Cloud Logging lets you use a key from any region. However, when you create a log bucket, the location of the log bucket must match the location of the key. For information about supported regions, see the following:
You can't enable CMEK for log buckets created in the global region.
Ensure that you have the following Cloud Logging permissions on the Google Cloud project where you plan to create log buckets:
logging.settings.getlogging.buckets.getlogging.buckets.listlogging.buckets.createlogging.buckets.updateAfter you've completed the prerequisite steps, follow these instructions to enable CMEK for an individual log bucket.
Determine the service account IDTo determine the service account ID associated with the Google Cloud resource for which CMEK will apply, do the following:
Run the following gcloud logging settings describe command:
gcloud logging settings describe --project=BUCKET_PROJECT_ID
Before running the previous command, make the following replacement:
The previous command generates a service account for the specified resource, when one doesn't exist already, and it returns the ID of that service account in the kmsServiceAccountId field:
kmsServiceAccountId: KMS_SERVICE_ACCT_NAME@gcp-sa-logging.iam.gserviceaccount.com loggingServiceAccountId: SERVICE_ACCT_NAME@gcp-sa-logging.iam.gserviceaccount.com name: projects/BUCKET_PROJECT_ID/settings
The kmsServiceAccountId field lists the service account that is used by Cloud Logging to call Cloud Key Management Service.
If the KMS_SERVICE_ACCT_NAME field has the format of cmek-pPROJECT_NUMBER, and if you are using VPC Service Controls or if you enable domain restricted sharing, then determine whether you need to migrate your CMEK service account. For information about when you need to migrate and the steps to perform the migration, see Troubleshoot VPC Service Controls and domain restricted sharing.
When you're configuring CMEK at the log bucket level, give the service account permission to use your Cloud KMS by assigning the Cloud KMS CryptoKey Encrypter/Decrypter role to the service account identified by the kmsServiceAccountId field:
gcloud kms keys add-iam-policy-binding \ --project=KMS_PROJECT_ID \ --member serviceAccount:KMS_SERVICE_ACCT_NAME@gcp-sa-logging.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --location=KMS_KEY_LOCATION \ --keyring=KMS_KEY_RING \ KMS_KEY_NAME
Before running the previous command, make the following replacements:
kmsServiceAccountId field of the response of the gcloud logging settings describe command.projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KMS_KEY_RING/cryptoKeys/KEY.To create a log bucket and enable CMEK for the log bucket, run the following gcloud logging buckets create command:
gcloud logging buckets create BUCKET_ID \ --location=LOCATION \ --cmek-kms-key-name=KMS_KEY_NAME \ --project=BUCKET_PROJECT_ID
Before running the previous command, make the following replacements:
projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KMS_KEY_RING/cryptoKeys/KEY.To verify that you've successfully created a log bucket with CMEK enabled, run the following gcloud logging buckets list command:
gcloud logging buckets list --project=BUCKET_PROJECT_ID
Before running the previous command, make the following replacement:
In the tabular output, you see a column labeled CMEK. If the value of the CMEK column is TRUE, then CMEK is enabled for the log bucket.
To view the details for a specific log bucket, including the key's details, run this command:
gcloud logging buckets describe BUCKET_ID --location=LOCATION --project=BUCKET_PROJECT_IDManage your Cloud KMS key
The following sections describe how to update a log bucket to use the latest primary key version of a Cloud KMS key. They also describe how to change, revoke access for, and disable your Cloud KMS key.
Caution: If Logging loses access to the Cloud KMS key, there are data loss and user implications; to learn more, see Limitations on this page. Rotate your Cloud KMS key Note: If you rotate a Cloud KMS key, that action doesn't apply to existing log buckets. That is, rotating the key doesn't change the key version that the log bucket uses to protect its data. For information about how to change the key version used by a log bucket, see Rotate your Cloud KMS key.When you create a Cloud KMS key, you can configure a rotation period. You can also rotate a Cloud KMS key manually. Each time a key is rotated, a new version for that key is created.
If you rotate a Cloud KMS key, then the new key version applies only to log buckets created after the key rotation. If the key is used by an existing log bucket, rotating the key doesn't change how the log bucket protects its data.
For example, suppose that you create a log bucket and enable CMEK, and then you rotate the Cloud KMS key. The log bucket that you created doesn't use the new key version, instead it continues to protect its data with the key version that was marked as primary when the log bucket was created.
To update a log bucket to use the most recent primary key version of a Cloud KMS key, do the following:
To change the Cloud KMS key associated with your log bucket, create a key and update the CMEK settings for log bucket:
gcloud logging buckets update BUCKET_ID --location=LOCATION \ --cmek-kms-key-name=NEW_KMS_KEY_NAME --project=BUCKET_PROJECT_ID
To revoke Logging's access to the Cloud KMS key at any time, remove the configured service account's IAM permission for that key.
If you remove Logging's access to a key, it can take up to one hour for the change to take effect.
If you have a linked BigQuery dataset, BigQuery can't use this access to apply to key to a new BigQuery table. If you want to use a key on BigQuery table that aren't linked to Logging, follow BigQuery's documentation to do so. If you revoke Logging's access to a key and if you have a linked BigQuery dataset, then you also revoke BigQuery's access to the same key.
You can't revoke BigQuery's access to the linked dataset's key while preserving Logging's access.
For more information about the impact of revoking access, see Limitations.
To remove Logging's access to a key, run the following command:
gcloud kms keys remove-iam-policy-binding \ --project=KMS_PROJECT_ID \ --member serviceAccount:KMS_SERVICE_ACCT_NAME@gcp-sa-logging.iam.gserviceaccount.com \ --role roles/cloudkms.cryptoKeyEncrypterDecrypter \ --location=KMS_KEY_LOCATION \ --keyring=KMS_KEY_RING \ KMS_KEY_NAME
Before running the previous command, make the following replacements:
kmsServiceAccountId field of the response of the gcloud logging settings describe command.projects/KMS_PROJECT_ID/locations/LOCATION/keyRings/KMS_KEY_RING/cryptoKeys/KEY.The following are known limitations.
CMEK disables Error ReportingIf you want to use Error Reporting, then don't enable customer-managed encryption keys (CMEK) on your log buckets. For more information, see Troubleshooting.
CMEK can't be removed from log bucketsYou can't reconfigure log buckets to change or remove CMEK.
Degradation due to Cloud KMS key unavailabilityA Cloud KMS key is considered available and accessible by Logging if both of the following are true:
Logging strongly recommends ensuring that any keys are properly configured and always available.
Loss of disaster recoveryIf there are critical failures in Cloud Logging primary storage, then Logging mirrors the logging data to disaster-recovery files. When CMEK is enabled for a resource, such as a Google Cloud organization, logs belonging to that resource are protected by the configured CMEK key. If the CMEK key isn't accessible, the disaster-recovery files can't be written for that resource.
Loss of disaster-recovery files doesn't affect normal logging operations. However, in the event of a storage disaster, Cloud Logging might be unable to recover logs from resources whose CMEK isn't properly configured.
Support constraintsCloud Customer Care can't read your resource's logs if its key isn't properly configured or becomes unavailable.
Degraded query performanceWhen a customer-managed encryption key is inaccessible, Cloud Logging continues to encrypt your data and store data in log buckets. However, Cloud Logging can't perform background optimizations on this data. If key access is restored, the data becomes available; however, the data is initially be stored in an unoptimized state and query performance may suffer.
Degradation due to Cloud EKM key unavailabilityWhen you use a Cloud EKM key, Google Cloud has no control over the availability of your externally managed key in the external key-management partner system. For bucket-level CMEK, if an externally managed key is unavailable, Cloud Logging continues to store logs in log buckets but users aren't able to access those logs.
For more considerations, and potential alternatives, when using external keys, see the Cloud External Key Manager documentation.
RegionalityWhen you create a log bucket and enable CMEK, you must use a key whose region matches the regional scope of your data. You can't configure CMEK for log buckets created in the global region.
Logging client libraries don't provide methods for configuring CMEK.
QuotasWhen you use CMEK in Logging, your projects can consume Cloud KMS cryptographic requests quotas. For example, enabling CMEK on a log bucket can consume these quotas. Encryption and decryption operations using CMEK keys affect Cloud KMS quotas only if you use hardware (Cloud HSM) or external (Cloud EKM) keys. For more information, see Cloud KMS quotas.
For details on Logging usage limits, see Quotas and limits.
Troubleshoot configuration errorsFor information about troubleshooting CMEK configuration errors, see Troubleshoot CMEK and organization setting errors.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4