Tenant Security Event Logging

If you are using SaaS Shield and a tenant has configured a KMS, each request by your application to encrypt or decrypt sensitive data will cause the TSP to make a wrap or unwrap call to the tenant's KMS. The tenant's KMS should generate events that the tenant can extract to create a rudimentary security event stream. However, if the tenant enables key leasing, the KMS is no longer involved in each key wrap and unwrap action in the TSP, so the tenant will lose this source of information. To allow tenants to retain transparency around all access to their data, even with key leasing enabled, SaaS Shield provides a security event logging subsystem. Tenant administrators can configure connection information for their own logging / SIEM system in the Configuration Broker, similar to the way they configure their KMS information. The logging configuration is encrypted and protected the same way the KMS configuration is, using the end-to-end encryption provided by the Data Control Platform.
The Configuration Broker will not allow a tenant administrator to enable key leasing without configuring a logging system. However, whether the tenant administator enables key leasing or not, the TSP will generate a security event for each key wrap and unwrap operation. The APIs the TSC provides to encrypt and decrypt data allow the application to specify additional metadata, including the ID of the user or service requesting the action, a label for the data, and a request ID. This information is passed along to the TSP and is included in the events that are generated by the TSP and pushed to the tenant's logging / SIEM system.
This provides a significantly richer audit trail than the event stream that can be extracted from the tenant's KMS. (More information is available on the metadata included with TSC calls to encrypt and decrypt.)

Logged Events

The TSP generates the following events and pushes them to tenant logging systems:

Standard Events

  • EDEK decrypted via {KMS}
  • DEK encrypted via {KMS}

Key Leasing Enabled

  • Leased a new key via {KMS}
  • Decrypted a leased key via {KMS}
  • Encrypted a DEK using a leased key
  • Decrypted an EDEK using a leased key


If you have a tenant that is configured to log to StackDriver and make a call like the following (using the NodeJS TSC):
const metadata = new RequestMetadata(TENANT_ID, "serviceOrUserId", "PII");

// Create a map containing your data
const custRecord = {
    ssn: Buffer.from("000-12-2345", "utf-8"),
    address: Buffer.from("2825-519 Stone Creek Rd, Bozeman, MT 59715", "utf-8"),
    name: Buffer.from("Jim Bridger", "utf-8"),

// Request a key from the KMS and use it to encrypt the document
client.encryptDocument(custRecord, metadata)
then go to that tenant's StackDriver instance, set the resource to Global, and search, you can see the event that LogDriver pushed to the StackDriver system. The above call logged the following event:
  insertId: "3vvyvugcdgwzjd"  
  jsonPayload: {
    logMsg: ""Encrypted a DEK using leased key.""   
    logdriverRayId: "JPrZwm9Z_icvCuYA"   
    metadata: {
      customFields: {
      dataLabel: "PII"    
      requestId: ""    
      requestingId: "serviceOrUserId"    
    tenantId: "tenant-gcp-l"   
    timestamp: "2020-09-18T14:25:45.845Z"   
    tspRayId: "BuK0cW6Y3dQEW--_"   
  logName: "projects/discrete-log-2/logs/cmk-demo-logging"  
  receiveTimestamp: "2020-09-18T14:25:47.403180315Z"  
  resource: {}  
  timestamp: "2020-09-18T14:25:45.845Z"  
SaaS Shield supports logging to Google Compute Platform's StackDriver and to Splunk (both the enterprise and cloud versions). For a complete list of supported logging systems, check here.



Trust Center

Find Us