By default, Google Cloud Observability encrypts customer content at rest. Google Cloud Observability handles encryption for you without any additional actions on your part. This option is called Google default encryption.
If you want to control your encryption keys, then you can use customer-managed encryption keys (CMEKs) in Cloud KMS with CMEK-integrated services including Google Cloud Observability. Using Cloud KMS keys gives you control over their protection level, location, rotation schedule, usage and access permissions, and cryptographic boundaries. Using Cloud KMS also lets you view audit logs and control key lifecycles. Instead of Google owning and managing the symmetric key encryption keys (KEKs) that protect your data, you control and manage these keys in Cloud KMS.
After you set up your resources with CMEKs, the experience of accessing your Google Cloud Observability resources is similar to using Google default encryption. For more information about your encryption options, see Customer-managed encryption keys (CMEK).
Google Cloud Observability can use CMEKs to encrypt data stored in observability buckets. These buckets store your trace data. This document lists the supported organization policies, introduces default settings for observability buckets, and describes how organization policies and default settings interact.
This document doesn't apply to the Cloud Logging, which can encrypt data stored in log buckets with CMEKs. For more information, see Configure CMEKs for Cloud Logging.
Supported organization policy constraints
To control where your observability buckets are created and who manages the encryption keys for those buckets, you might want to configure the following organization policies:
A policy with a constraint ID
constraints/gcp.resourceLocations. This policy defines the set of locations where new resources can be created. To use observability buckets, this set of locations must include at least one supported observability buckets location.A
Denypolicy with the constraint IDconstraints/gcp.restrictNonCmekServices. This policy requires that new resources are encrypted with CMEKs.A policy with the constraint ID
constraints/gcp.restrictCmekCryptoKeyProjects. This policy limits which Cloud Key Management Service keys are used for encryption.
You can create organization policies that apply at the organization, folder, or project level. For more information, see Creating and editing policies.
About default settings for observability buckets
Google Cloud Observability provides default settings for observability buckets, which are applied to a project, folder, or organization. These default settings work together with your organization policies to make sure that new observability buckets are in the location you prefer and use the encryption model you specify.
For organizations, folders, and projects, default settings for observability buckets let you configure the following:
- A default storage location.
- For each location, a default Cloud Key Management Service key.
When configured for a project, these settings apply only to new observability buckets created in that project. When configured for a folder or organization, these settings apply to new observability buckets that are created in projects that are descendants of the folder or organization, except for those projects where you've configured default settings.
To learn more, see Set defaults for observability buckets.How organization policies and default settings interact
The parent of an observability bucket must be a project. That is, the system can't create an observability bucket in a folder or in an organization. However, if you configure default settings for observability buckets for an organization or a folder, then those default settings apply to all projects that are descendants of that organization or folder.
The following table lists the rules the system uses to determine the location of a new observability bucket:
| Use organization policy to restrict location |
Project (or ancestor) has a default storage location |
How the system determines the location for a new observability bucket |
|---|---|---|
| No | No | The system selects the location from the supported locations for observability buckets. |
| Yes | No | The system selects the location from the intersection of those locations the organization policies allow and those observability buckets support. If the intersection is empty, then the system doesn't create the observability bucket. |
| No | Yes | The system sets the location to the default storage location defined in the project's default settings. If the project doesn't define a default storage location, then the system uses the default storage location defined for an ancestor. |
| Yes | Yes | The system sets the location to the default storage location defined in the project's default settings. If the project doesn't define a default storage location, then the system uses the ancestor's default storage location. If the default storage location isn't allowed by the organization policies, then the system doesn't create the observability bucket. |
The following table lists the rules the system uses to determine whether a new
observability bucket uses CMEKs, and if so, the value of the
Cloud KMS key. To encrypt an observability bucket, a
Cloud KMS key must be in the location of the bucket and be allowed by
organization policies. If you don't specify an organization policy with the
gcp.restrictCmekCryptoKeyProjects constraint, then all keys are allowed:
| Use organization policy to require CMEKs |
Project (or ancestor) has a default Cloud KMS key |
How the system determines which Cloud KMS key to use. |
|---|---|---|
| No | No | The observability bucket doesn't use CMEKs. |
| Yes | No | The system doesn't create new observability buckets because the organization policy requires CMEKs but a default Cloud KMS key isn't defined. |
| No | Yes | To identify a key for encryption, the system first determines whether a default storage location is set for the project or for one of its ancestors. If not, the system selects a location and creates the the observability bucket. The bucket doesn't use a CMEK. If a default storage location is found, then the system searches the project's default settings for a default Cloud KMS key. If the project's default settings don't specify an appropriate key, then the system searches the ancestor's default settings for a default key that is in the location of the new bucket. One of the following occurs:
|
| Yes | Yes | To identify a key for encryption, the system first determines whether a default storage location is set for the project or for one of its ancestors. If a default storage location isn't set, then the system doesn't create the new observability bucket If a default storage location is found, then the system searches the project's default settings for a default Cloud KMS key. If the project's default settings don't specify an appropriate key, then the system searches the ancestor's default settings for a default key that is in the location of the new bucket. One of the following occurs:
|
Limitations
When the system creates an observability bucket, the encryption model is set to either Google default encryption or customer-managed encryption. After the bucket exists, you can't change the encryption model.
What's next
Set defaults for observability buckets describes how to set a default storage location and a default Cloud KMS key for your observability buckets.
Configure default resource settings for Cloud Logging and Configure CMEKs for Cloud Logging describe how to set a default storage location and a default Cloud KMS key for your log buckets.