Skip to content

Security, Audit & Cost

Lease-scoped encryption, time-bounded secrets, attestation, fair-share quotas, audit chain, cost attribution.

When to read this section

You need to encrypt data with a key that retires automatically, run a workload in a fenced clean room, enforce per-tenant quotas across many projects, attribute cost back to tenants for billing, or surface every meaningful event on the audit chain for compliance. These recipes treat encryption / attestation / accounting as lifecycle properties of leased resources, not as bolt-ons.

Suggested order

  1. Encrypting Data at Rest With a Lease-Scoped Key — the smallest encryption variant. The key’s lifetime is the lease’s lifetime.
  2. Time-Bound Secret Vault — short-lived secrets with automatic retirement.
  3. Lease-Scoped Data Clean Room — multi-party computation variant. The workload sees the data only while the lease lives.
  4. Multi-Tenant Compute With Preemption and Attestation — preemptible compute with attested workload identity. The combination is what makes the cost-attribution downstream trustworthy.
  5. Per-Project Fair Share — quota enforcement across many tenants.
  6. Consuming the Audit Chain — the audit-side reader pattern. How to query the typed chain from a SIEM or operator dashboard.
  7. Tenant Audit Dashboard From the Typed Chain — the dashboard variant. Builds on the consumer recipe.
  8. Cost Attribution Tags — the cost-rollup variant. How tags carried through every event aggregate into per-tenant invoices.

What’s not here

Per-request inference billing attribution. See GPU & Inference / audit and attribution. Application-layer encryption inside a single tenant’s data path. See State & Storage.