Posted on April 6, 2022
We have simplified the Data Forwarder to require fewer permissions. The following actions are no longer required in the bucket policy:
Additionally, it is now possible to enable KMS encryption on any AWS S3 bucket used to store data sent from the Carbon Black Cloud Data Forwarder. The following instructions are intended for existing customers who have already enabled a CBC Data Forwarder, and who wish to enable KMS encryption on their existing S3 bucket.
If you require more security for your data at rest, we recommend that you use AWS’s built-in support, AWS KMS. This makes securing your data easy and provides Carbon Black the ability to write files without the ability to read them later.
Customer managed keys
{
"Sid": "KMS policy to allow CBC Data Forwarder",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"*",
"arn:aws:iam::123456654321:root"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "KMS policy to allow CBC Data Forwarder",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}