S3 SSE configuration

Symptoms

Clumio fails to backup objects where our IAM role + assumed role do not have access to SSE-C keys encrypting the objects in your S3 bucket(s).

Root cause

Backups and restores will fail for SSE-C encrypted objects unless configured prior to onboarding.

NOTE: For any bucket configured for SSE-C aware backup, all objects in the source bucket must be encrypted with a single SSE-C encryption key. Clumio does not support multiple SSE-C encryption keys at this time.

Resolution

If you encounter any S3 backup/restore failures for buckets with objects known to be encrypted with SSE-C encryption, use the following steps below.

1. Create a secret in AWS Secrets Manager having base64 encoded AES256 key.
2. Allow the permissions [secretsmanager:DescribeSecret, and secretsmanager:GetSecretValue ] to the ClumioIAMRole for the Secret policy (example below).
3. Contact Clumio support ([email protected]) and provide details of the bucket name and secret ARN.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<ACCOUNT_NUMBER>:role/clumio/<CLUMIO_ROLE_ID>",
             "arn:aws:sts::<ACCOUNT_NUMBER>:assumed-role/<CLUMIO_ROLE_ID>/daebaksrv-S3Backup"
                ]
            },
            "Action": [
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "arn:aws:secretsmanager:<REGION>:<ACCOUNT_NUMBER>:secret:<CLUMIO_SSE-C_KEY>"
        }
    ]
}