GCP Cloud Key Management Service

Google Cloud Platform (GCP) Cloud Key Management Service (KMS) allows you to create, import, and manage cryptographic keys and perform cryptographic operations in a single centralized cloud service. Cisco Cloud Observability supports monitoring the following Cloud KMS entities:

Cloud KMS: Represents the GCP Cloud KMS service.
Crypto Key: Represents a logical key that can be used for cryptographic operations. A Crypto Key is made up of zero or more versions, which represent the actual key material used in cryptographic operations.
Crypto Key Version: Represents an individual cryptographic key, and the associated key material. An ENABLED version can be used for cryptographic operations. For security reasons, the raw cryptographic key material represented by a Crypto Key Version can never be viewed or exported. It can only be used to encrypt, decrypt, or sign data when an authorized user or application invokes Cloud KMS.

You must configure cloud connections to monitor this entity. See Configure Google Cloud Platform Connection.

This document contains references to third-party documentation. Splunk AppDynamics does not own any rights and assumes no responsibility for the accuracy or completeness of such third-party documentation.

List and Detail View

To display the list or detail view of a GCP Cloud KMS entity:

Navigate to the Observe page.
Under Cloud Governance & Security Management, click GCP Cloud KMS.
The list view is now displayed.
From the list, click a Project Name to display the detail view.
The detail view displays the metrics and properties (attributes) related to the instance you selected. It also displays the list of related Crypto Keys.

Navigate to the Observe page.
Under Cloud Governance & Security Management, click GCP Cloud KMS.
From the Relationships map in the left-hand panel, click GCP KMS Crypto Keys.
The list view is now displayed.
From the list, click an instance Name to display the detail view.
The detail view displays the list of related Crypto Key Versions and the properties (attributes) related to the Crypto Key you selected.

Navigate to the Observe page.
Under Cloud Governance & Security Management, click GCP Cloud KMS.
From the Relationships map in the left-hand panel, click GCP KMS Crypto Keys.
From the Relationships map in the left-hand panel, click GCP KMS Crypto Key Versions.
The list view now displays. This view displays the list of Crypto Key Versions, along with their name, region, Crypto Key name, and whether primary is true or false.

Metrics and Key Performance Indicators

Cisco Cloud Observability displays the following metrics and key performance indicators (KPIs) for GCP Cloud KMS. See Google Cloud metrics.

Display Name	Source Metric Name	Description
Peak Crypto Ops (Count)	`peak_qps`	The project's maximum per-second crypto request count. The period must be one minute or longer.

Properties (Attributes)

Cisco Cloud Observability displays the following properties for GCP Cloud KMS entities.

Display Name	Source Property Name	Description
ID	-	The ID of the Cloud KMS instance, generated by Cisco Cloud Observability.
Name	-	The name of the Cloud KMS instance, taken from the ID.
Project ID	-	The ID of the GCP project.
Region	-	The `global` string.

These properties are visible on the Crypto Key detail view. A subset of these properties is visible on the Cloud KMS detail view.

Display Name	Source Property Name	Description
ID	`-`	Identifier of the GCP asset.
Name	`name`	Output only. The resource name for this Crypto Key Version in the format `projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*`.
Project ID	`-`	The cloud account ID the resource is assigned to.
Region	`-`	The geographical region the resource is running.
Primary Version Name	`primary.name`	Output only. The resource name for this Crypto Key Version stripped from the format `projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*`.
Purpose	`purpose`	Immutable. The immutable purpose of this Crypto Key.
Crypto Key Backend	`cryptoKeyBackend`	Immutable. The resource name of the backend environment where the key material for all Crypto Key Versions associated with this Crypto Key reside and where all related cryptographic operations are performed. Only applicable if Crypto Key Versions have a `protectionLevel` of `EXTERNAL_VPC`, with the resource name in the format `projects//locations//ekmConnections/*`. Note that this list is non-exhaustive and may apply to additional `protectionLevels` in the future.
Next Rotation Time	`nextRotationTime`	At `next_rotation_time`, the Key Management Service will automatically: Create a new version of this Crypto Key. Mark the new version as primary. Key rotations performed manually via `CreateCryptoKeyVersion` and `UpdateCryptoKeyPrimaryVersion` do not affect `next_rotation_time`. Keys with purpose `ENCRYPT_DECRYPT` support automatic rotation. For other keys, this field must be omitted.
Rotation Period	`rotationPeriod`	`next_rotation_time` will be advanced by this period when the service automatically rotates a key. Must be at least 24 hours and at most 876,000 hours. If `rotation_period` is set, `next_rotation_time` must also be set. Keys with purpose `ENCRYPT_DECRYPT` support automatic rotation. For other keys, this field must be omitted.
Import Only	`importOnly`	Immutable. Whether this key may contain imported versions only.
Create Time	createTime	The time that this Crypto Key was created.
Destroy Scheduled Duration	`destroyScheduledDuration`	Immutable. The period of time that versions of this key spend in the `DESTROY_SCHEDULED` state before transitioning to `DESTROYED`. If not specified at creation time, the default duration is 24 hours.
Version Template Algorithm	`versionTemplate.algorithm`	Required. Algorithm to use when creating a Crypto Key Version based on this template. For backwards compatibility, `GOOGLE_SYMMETRIC_ENCRYPTION` is implied if both this field is omitted and `CryptoKey.purpose` is `ENCRYPT_DECRYPT.`
Version Template Protection Level	`versionTemplate.protectionLevel`	Protection level to use when creating a Crypto Key Version based on this template. Immutable. Defaults to `SOFTWARE`.

These properties are visible on the Crypto Key detail view. A subset of these properties is visible on the Crypto Key Version list view.

Display Name	Source Property Name	Description
Name	`name`	Output only. The resource name for this Crypto Key Version in the format `projects//locations//keyRings//cryptoKeys//cryptoKeyVersions/*`.
ID	`-`	Identifier of the GCP asset.
Region	`-`	The geographical region the resource is running.
State	`state`	The current state of the Crypto Key Version.
Primary	-	Indicates whether this version is the primary one for the associated key.
Algorithm	`algorithm`	Output only. The Crypto Key Version algorithm that this Crypto Key Version supports.
Create Time	`createTime`	Output only. The time at which this Crypto Key Version was created.

Retention and Purge Time-To-Live (TTL)

For all cloud and infrastructure entities, the retention TTL is 180 minutes (3 hours) and the purge TTL is 525,600 minutes (365 days).

Third party names, logos, marks, and general references used in these materials are the property of their respective owners or their affiliates in the United States and/or other countries. Inclusion of such references are for informational purposes only and are not intended to promote or otherwise suggest a relationship between Splunk AppDynamics and the third party.