Audit log

KMS audit logging

Every KMS cryptographic operation writes a dedicated audit entry. Use these events for security monitoring, compliance reporting, and incident investigation.

Resource type

KMS audit entries use resourceType: "kms_key".

Filter audit logs by kms.* actions to isolate key management activity.

Logged operations

Audit action	Operation
`kms.encrypt`	Encrypt
`kms.decrypt`	Decrypt
`kms.sign`	Sign
`kms.verify`	Verify signature
`kms.hmac`	Generate HMAC
`kms.verify_hmac`	Verify HMAC
`kms.rotate`	Manual rotation
`kms.rotate.scheduled`	Automatic rotation
`kms.export`	Export key material

Lifecycle operations such as create, disable, enable, and delete follow standard platform audit patterns for resource management.

Fields recorded

For HTTP API calls, audit entries typically include:

Field	Description
Region	Cloud region where the operation ran
Project	Project context, if applicable
Key slug	Identifier of the affected key
Key type	Cryptographic algorithm
Outcome	Success or failure
Key version	Version used for the operation
Payload sizes	Size metadata where applicable
Client IP	Source IP of the API request
User agent	HTTP user agent string

Exact fields available in your audit log export depend on your organisation’s audit log configuration.

Monitoring recommendations

Set up alerts or periodic reviews for:

kms.decrypt — Unusual volume or sources outside expected service accounts
kms.export — Any export event warrants immediate review
kms.rotate and kms.rotate.scheduled — Confirm rotations match your policy
Failed crypto operations — Repeated 400 outcomes may indicate misconfiguration or compromise attempts

Integrations such as Secrets Manager emit kms.encrypt and kms.decrypt events when reading and writing secret values. Correlate these with Secrets Manager audit entries for end-to-end traceability.

KMS audit logging

Resource type

Logged operations

Fields recorded

Monitoring recommendations

Related documentation