Key Management System - Audit Crypto Key protection level¶
Cloud KMS allows to create and manage cryptographic keys in one central cloud service. Custodian can audit and notify if any of KMS cryptographic keys have been created using the wrong settings.
Note that the
notify action requires a Pub/Sub topic to be configured. To configure Cloud Pub/Sub messaging please take a look at the Generic Actions page.
In the example below, the policy filters and reports keys with protection level other than Hardware Security Module (HSM).
policies: - name: gcp-kms-cryptokey-audit-creation resource: gcp.kms-cryptokey mode: type: gcp-audit methods: - CreateCryptoKey filters: - type: value key: primary.protectionLevel op: not-in value: - HSM actions: - type: notify to: - email@email format: json transport: type: pubsub topic: projects/my-gcp-project/topics/my-topic