Encrypting the Clumio SNS topic

To Encrypt the Clumio SNS topic created in your AWS Account, you may follow the steps for either of the below scenarios.

New CloudFormation Install

  • While installing the stack in your AWS account, if you have a preexisting key that you wish to use, enter the KMS key ID under the ClumioInventoryTopicEncryptionKey field.
  • If you do not have a preexisting key and want Clumio to create one, please leave the above field blank, and select true for the CreateClumioInventoryTopicEncryptionKey field.
  • Follow the remaining process as usual.


Update existing CloudFormation Stack

  • Login to Clumio and Navigate to AWS > Connect > Account > Update to Latest
  • Click on Update CloudFormation Template > Launch Stack Wizard
  • When redirected to your AWS account, follow the steps above.

Validate that the SNS topic is encrypted

  • Login to the AWS Management console.
  • Navigate to Simple Notification Service > Topics
  • Click on the topic that begins with ClumioInventoryTopic > Encryption
  • Here you may verify the encryption status and the KMS key ARN


Ensure that the KMS key allows access

  • Verify that the KMS policy allows access to the EventBridge and SNS services.
  • You can use the following example below to allow access to the necessary services.
{
  "Sid": "Allow EventBridge to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
},
{
  "Sid": "Allow SNS to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "sns.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Note: Resource can be modified to be specific KMS key(s).