Articles in this section

Google EKM Key Access Justification Attribute

Courtney Evans
  • Updated
Follow

This article provides instructions for using Google EKM Justification attribute in the Machina console.

Overview

Key Access Justification returns a reason each time an externally hosted key decrypts data. The reason is referred to as the Google EKM Justification Attribute.  When a key is accessed, the key justification attribute is sent from Google Key Management Systems through the Google EKM interface to Ionic’s Google EKM integration and then to Ionic Machina. Ionic Machina processes the justification attribute if it is present. When you write Machina data access policies, access to keys is determined based on the policy and the value (or absence) of the justification attribute.

Prerequisites

To use Google EKM Key Access Justification, request permission here.

Once you are invited to participate in the Google EKM Key Access Justification program, you can access additional information at https://cloud.google.com/kms/docs/ekm-access-justification.

EKM Justification Attribute Values

The Google EKM Justification attribute comes into Ionic Machina as a Name/Value pair in the request metadata, also known as the environment attribute.

  • The attribute Name is access-reason.ekm.cloud.google.com.
  • The attribute Value can be any of the reasons listed in the following table.

Value/Reason

Description

CUSTOMER_INITIATED_ACCESS

Customer used the account to perform any access to their own data which is authorized by their own IAM policy.

MODIFIED_CUSTOMER_INITIATED_
ACCESS

Customer used the account to perform any access to their own data which is authorized by their own IAM policy, however a Google administrator has recently reset the superuser account associated with the user's Organization.

GOOGLE_INITIATED_SYSTEM_OPERATION

Google accessed customer data to help optimize the structure of the data or quality for future uses by the customer. This includes accessed for the purposes of indexing, structuring, precomputation, hashing, sharding and caching. This also includes backing up data for disaster recovery or data integrity reasons, and detecting errors that can be remedied from that backup data.

Note that where the customer has delegated a managed control plane operation to Google, such as the creation of a managed instance group, all managed operations will show as system operations. Services such as the managed instance group manager that trigger downstream decryption operations do not have access to clear-text customer data.

REASON_NOT_EXPECTED

No reason is expected for this key request as the service in question has never integrated with Key Access Justifications, or is still in Preview and therefore may still have residual methods that call the external key manager but still do not provide a justification.

CUSTOMER_INITIATED_SUPPORT

Customer-initiated support, for example, "Case Number: ####".

GOOGLE_INITIATED_SERVICE

Google-initiated access, for example, to perform system management and troubleshooting, which includes:

  • Backup and recovery from outages and system failures
  • Investigation to confirm that the customer is not affected by suspected service issues
  • Remediation of technical issues, such as storage failure or data corruption

THIRD_PARTY_DATA_REQUEST

Google-initiated access in response to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own data.

GOOGLE_INITIATED_REVIEW

Google-initiated access for security, fraud, abuse, or compliance purposes, including:

  • Ensuring the safety and security of customer accounts and data
  • Confirming whether data is affected by an event that may impact account security (for example, malware infections)
  • Confirming whether customer is using Google services in compliance with Google Terms of Service
  • Investigating complaints by other users and customers, or other signals of abusive activity
  • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)

REASON_UNSPECIFIED

Key Access Justifications are enabled but no justification is available for the request. This may have been due to a transient error, a bug, or some other circumstance.

Viewing the EKM Justification Attribute

To view the attribute, go to Machina Console -> Analytics  -> Activity. In the Log, select the corresponding instance. Go the Environment Attributes at the bottom of the page.

mceclip0.png

Using EKM Justification Attribute with Ionic Machina Data Access Policies

Ionic Machina data access policies determine whether a key request should be allowed or denied based on the request context which includes the attributes on the key being requested, the metadata associated with the request, the entity making the request, and other factors.

Writing a data policy for Google EKM justification

To write a data policy for Google EKM justification:

  1. In the Machina Console, click on Data Policies.
  2. Click Create Data Policy, enter a name for the policy, and click Create.
  3. Click Enable Policy to activate the policy.
  4. Click Create Rule.
  5. Click Deny, then Advanced.  Follow the next steps very carefully.
  6. Click in the Attribute field on the left and type “environment:access-reason.ekm.cloud.google.com” and press Enter.
  7. In the Attribute field, select “specific values” in the dropdown.
  8. A new field will appear to the right.  In that field type the justification value(s) you would like to use.  For example, type “CUSTOMER_INITIATED_SUPPORT” and hit enter. You can enter as many justification values as you would like in this field.
  9. After you have entered the values you want, click Create.

mceclip1.png

After the policy has been created, you can go back to the policy rule and add and remove justification values as desired.

Creating an Allow All policy

For demos, it is easiest to create an Ionic Policy named “Allow All” that will allow all key requests that are not explicitly denied by another policy.

To create an Allow All policy:

  1. Click on Data Policies on the Machina Console.
  2. Click Create Data Policy, enter a name for the policy (“Allow All”), and click Create.
  3. Click Enable Policy to activate the policy.
  4. Click Create Rule, then click Create without making any changes.

 

More on Machina Data Access Policies

Machina data access policies are almost like a programming language and can be constructed in many ways to fit almost any use case.

Considering the above scenario with an Allow All policy, you can set up the Justification policy  in any of the following ways:

  1. Deny access if the justification attribute has a specific value (as detailed above).
  2. Deny access if the justification attribute does not have a specific value.

You can also set up a policy without the Allow All feature enabled.

  1. Allow access if the justification attribute has a specific value.
  2. Allow access if the justification attribute does not have a specific value.

Ionic Machina can also make decisions about many other factors such as the person or system making the request and attributes defined on the key when it was created.

Related articles

Comments

0 comments

Article is closed for comments.