Security, Audit & Cost
Lease-scoped encryption, time-bounded secrets, attestation, fair-share quotas, audit chain, cost attribution.
When to read this section
You need to encrypt data with a key that retires automatically, run a workload in a fenced clean room, enforce per-tenant quotas across many projects, attribute cost back to tenants for billing, or surface every meaningful event on the audit chain for compliance. These recipes treat encryption / attestation / accounting as lifecycle properties of leased resources, not as bolt-ons.
Suggested order
- Encrypting Data at Rest With a Lease-Scoped Key — the smallest encryption variant. The key’s lifetime is the lease’s lifetime.
- Time-Bound Secret Vault — short-lived secrets with automatic retirement.
- Lease-Scoped Data Clean Room — multi-party computation variant. The workload sees the data only while the lease lives.
- Multi-Tenant Compute With Preemption and Attestation — preemptible compute with attested workload identity. The combination is what makes the cost-attribution downstream trustworthy.
- Per-Project Fair Share — quota enforcement across many tenants.
- Consuming the Audit Chain — the audit-side reader pattern. How to query the typed chain from a SIEM or operator dashboard.
- Tenant Audit Dashboard From the Typed Chain — the dashboard variant. Builds on the consumer recipe.
- Cost Attribution Tags — the cost-rollup variant. How tags carried through every event aggregate into per-tenant invoices.
What’s not here
Per-request inference billing attribution. See GPU & Inference / audit and attribution. Application-layer encryption inside a single tenant’s data path. See State & Storage.