Encrypting the Clumio SNS topic

To Encrypt the Clumio SNS topic created in your AWS Account, you may follow the steps for either of the below scenarios.

New CloudFormation Install

• While installing the stack in your AWS account, if you have a preexisting key that you wish to use, enter the KMS key ID under the ClumioInventoryTopicEncryptionKey field.

• If you do not have a preexisting key and want Clumio to create one, please leave the above field blank, and select true for the CreateClumioInventoryTopicEncryptionKey field.

• Follow the remaining process as usual.

Update existing CloudFormation Stack

• Login to Clumio and Navigate to AWS > Connect > Account > Update to Latest
• Click on Update CloudFormation Template > Launch Stack Wizard
• When redirected to your AWS account, follow the steps above.

Validate that the SNS topic is encrypted

• Login to the AWS Management console.
• Navigate to Simple Notification Service > Topics
• Click on the topic that begins with ClumioInventoryTopic > Encryption
• Here you may verify the encryption status and the KMS key ARN

Ensure that the KMS key allows access

• Verify that the KMS policy allows access to the EventBridge and SNS services.
• You can use the following example below to allow access to the necessary services.

{
  "Sid": "Allow EventBridge to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
},
{
  "Sid": "Allow SNS to use the key",
  "Effect": "Allow",
  "Principal": {
    "Service": "sns.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt"
  ],
  "Resource": "*"
}

Note: Resource can be modified to be specific KMS key(s).