Skip to main content
Every encrypt, decrypt, and key management operation on your KMS keys is recorded in Google Cloud Audit Logs. You have read-only access to a dedicated log view that contains only your organization’s KMS operations — no other customer’s data is visible.

Viewing KMS audit logs

1

Open Cloud Logging

Sign in to GCP Console using your federated sign-in link or Google account (see Key Management for sign-in details). Then go to Logging → Logs Explorer. You can find it under the Observability section in the left navigation, or by searching for “Logs Explorer” in the top search bar.
2

Select your log view

Click Refine scope (near the top of the query panel) → Log view → select tenant-{your-slug}-kms-audit.
3

Run the query

Click Run query. You’ll see log entries for every KMS operation on your keys. All results are scoped to your organization.
Use the filters below to find specific operations:

Common log filters

See all encrypt operations

resource.type="cloudkms_cryptokey"
resource.labels.key_ring_id="tenant-{your-slug}-kms"
protoPayload.methodName="Encrypt"

See all decrypt operations (shows who accessed your data)

resource.type="cloudkms_cryptokey"
resource.labels.key_ring_id="tenant-{your-slug}-kms"
protoPayload.methodName="Decrypt"

See key management events (rotations, disables, enables)

resource.type="cloudkms_cryptokey"
resource.labels.key_ring_id="tenant-{your-slug}-kms"
protoPayload.methodName=~"(DestroyCryptoKeyVersion|ScheduleCryptoKeyVersionDestruction|RestoreCryptoKeyVersion|UpdateCryptoKey)"

See access by a specific identity

resource.type="cloudkms_cryptokey"
resource.labels.key_ring_id="tenant-{your-slug}-kms"
protoPayload.authenticationInfo.principalEmail="service-account@project.iam.gserviceaccount.com"

Log entry fields

Each log entry contains:
FieldDescription
protoPayload.methodNameThe KMS operation (e.g., Encrypt, Decrypt)
protoPayload.authenticationInfo.principalEmailWho or what service account performed the operation
protoPayload.resourceNameThe full resource path of the key version used
timestampWhen the operation occurred
protoPayload.response.nameThe key version name that was used

Exporting logs

To receive exports of your KMS audit logs for your SIEM or compliance records, contact support@askparable.com.
KMS Data Access audit logs (encrypt/decrypt operations) are enabled on the Parable project. Key management events (rotations, disables, destruction) are logged as Admin Activity and are always on.