# cloud key management service

SureCloud enumerates all Cloud KMS key rings and cryptographic keys across monitored GCP projects and inspects each key's configuration. SureCloud tracks key rotation schedules to identify keys with no automatic rotation configured or with a rotation period that exceeds your policy threshold, monitors for keys in a destroyed or scheduled-for-destruction state, and reviews key version states to surface disabled or compromised key versions. This provides continuous evidence that your encryption key management practices meet your security requirements.

## Endpoints

| API Call                                                                 | Use Case                                                                            |
| ------------------------------------------------------------------------ | ----------------------------------------------------------------------------------- |
| `cloudkms.projects.locations.keyRings.list`                              | Enumerate all key rings across all locations in a project                           |
| `cloudkms.projects.locations.keyRings.cryptoKeys.list`                   | List all cryptographic keys in each key ring; check rotation schedule and algorithm |
| `cloudkms.projects.locations.keyRings.cryptoKeys.cryptoKeyVersions.list` | List key versions; detect destroyed, disabled, or pending-destruction versions      |
| `cloudkms.projects.locations.keyRings.getIamPolicy`                      | Read key ring IAM policies; detect over-privileged principals                       |
| `cloudkms.projects.locations.keyRings.cryptoKeys.getIamPolicy`           | Read per-key IAM policies for fine-grained access review                            |

## Pagination

Cloud KMS list responses use `nextPageToken` continuation. SureCloud passes the token as the `pageToken` query parameter in successive requests until no token is returned.

```json
{
  "cryptoKeys": [
    {
      "name": "projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key",
      "rotationPeriod": "7776000s",
      "nextRotationTime": "2025-09-01T00:00:00Z",
      "primary": { "state": "ENABLED" }
    }
  ],
  "nextPageToken": "Cg9teS1rZXktbmFtZQ=="
}
```

{% hint style="info" %}
SureCloud collects key **metadata** only — key names, rotation schedules, states, and IAM policies. SureCloud never has access to the cryptographic key material itself. Cloud KMS does not expose raw key material via any API.
{% endhint %}

## Required permissions

| Role                         | Grants                                                                                                                          |
| ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| `roles/iam.securityReviewer` | Includes `cloudkms.cryptoKeys.list`, `cloudkms.keyRings.list`, `cloudkms.cryptoKeyVersions.list`, and `cloudkms.*.getIamPolicy` |

## Troubleshooting

<details>

<summary>Keys from some locations are not appearing</summary>

Cloud KMS is a regional service. SureCloud iterates across all supported KMS locations (including `global`, all regional, and multi-regional locations) to enumerate key rings. If keys from a specific region are missing, confirm the SureCloud service account has `roles/iam.securityReviewer` at the organisation scope and that no VPC Service Controls perimeter is blocking the Cloud KMS API for that region.

</details>

<details>

<summary>Rotation period shows as "Not configured" for keys that have rotation set</summary>

Only symmetric encryption keys support automatic rotation in Cloud KMS. Asymmetric signing keys, asymmetric decryption keys, and MAC signing keys do not support automatic rotation — for these key types, SureCloud correctly reports rotation as not configured, as it is not a supported feature.

For symmetric keys without rotation configured, set a rotation period in **Cloud KMS → \[Key Ring] → \[Key] → Edit rotation period**.

</details>

<details>

<summary>IAM policy data is missing for some key rings</summary>

Key ring IAM policy collection requires `cloudkms.keyRings.getIamPolicy`. This is included in `roles/iam.securityReviewer`. If IAM policy data is missing, the service account may be subject to an IAM deny policy at the project or key ring level.

Check **Cloud KMS → \[Key Ring] → Permissions** in the Google Cloud Console to confirm the SureCloud service account is not explicitly denied.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/google-cloud/cloud-key-management-service.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.