Also read KMS - Auditing Key Activity and KMS - Monitoring and Alerting

Storing all KMS Keys in a single project has some advantages. One can tightly place IAM controls on the keys. However, everytime a client project needs to USE a key, it has to somehow be granted access to this centralized project. This access is usually via a service account that is then granted cross-project access. This, in itself, may be problematic from a best practices standpoint.

Keeping project keys within a project itself is a slightly better option, in my experience. This still allows IAM controls to be placed on individual key rings - and at the same time, it also prevents the cross project need for service accounts.

Where are the keys Physically Located?

Read this google doc to understand regional versus global key locations




Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.