This document describes the encryption policies for data at rest in Cloud Monitoring and steps you can take to ensure that your sensitive customer data is protected.
This document is intended for customers who must comply with data-security requirements.
Encryption of data at rest
All data at rest within Cloud Monitoring is encrypted using Google Cloud-powered encryption keys. Cloud Monitoring doesn't support the use of customer-managed encryption keys (CMEK) for protecting your data at rest. By default, Monitoring doesn't store sensitive data and isn't intended to be used for Personally Identifiable Information (PII) or other private customer content.
However, there are places in Monitoring at which you can inadvertently insert sensitive customer data. Because Cloud Monitoring stores metadata and resource labels, customer data can make its way into Monitoring when you name configurations or perform metadata actions like labeling a resource, annotating an instance, or storing custom resources by using custom resource definitions (CRDs) in Google Kubernetes Engine.