Which KMS Activities are not LOGGED by default?

(Also read KMS Monitoring and Alerting )

IMonitoring administrative activities vs. data access activities: All administrative KMS activities are logged by default. For example, the scheduled destruction of a key version is an administrator activity. However, all KMS data access is not logged by default.

If you want to create an alert for data access of a Cloud KMS resource, e.g. monitoring when a key is used for encryption, you need to enable Data Access logs and then create an alert policy as described above.

Native KMS Auditing Tools

Cloud KMS writes Admin Activity audit logs, which record operations that modify the configuration or metadata of a resource. You can’t disable Admin Activity audit logs.

Only if explicitly enabled, Cloud KMS writes Data Access audit logs. Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud. Cloud KMS doesn’t write System Event audit logs.

Where can I find the KMS Data Access Audit Logs?

projects/project-id/logs/cloudaudit.googleapis.com%2Factivityorganizations/organization-id/logs/cloudaudit.googleapis.com%2Fdata_access

Audited operations

For a full list of audited KMS operations, visit google’s audit documentation




Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.


Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.