KMS Encryption and Simplified Bucket Policies for the S3 Carbon Black Cloud Data Forwarder

Posted on April 6, 2022

We have simplified the Data Forwarder to require fewer permissions. The following actions are no longer required in the bucket policy:

  • “s3:AbortMultipartUpload”
  • “s3:GetObjectAcl”
  • “s3:ListMultipartUploadParts”

Additionally, it is now possible to enable KMS encryption on any AWS S3 bucket used to store data sent from the Carbon Black Cloud Data Forwarder. The following instructions are intended for existing customers who have already enabled a CBC Data Forwarder, and who wish to enable KMS encryption on their existing S3 bucket.

If you require more security for your data at rest, we recommend that you use AWS’s built-in support, AWS KMS. This makes securing your data easy and provides Carbon Black the ability to write files without the ability to read them later.

Instructions to update the bucket policy for existing Forwarder buckets and reduce the number of actions permitted

  1. Log in to your AWS Management Console
  2. Navigate to Amazon S3
  3. Search for the Forwarder bucket by name and select the bucket
  4. From the Permissions tab, Edit the Bucket Policy
  5. Update the bucket policy to remove these unneeded Actions assigned to the Principal for Carbon Black Cloud Data Forwarder:
    1. “s3:AbortMultipartUpload”
    2. “s3:GetObjectAcl”
    3. “s3:ListMultipartUploadParts”

Instructions to set up CBC Data Forwarder-compatible KMS encryption of an AWS S3 bucket

Create a Customer Managed KMS Key
  1. Navigate to the AWS Key Management Service
  2. From the left side panel, choose Customer managed keys
  3. Create a key
  4. Leave the default selections for Symmetric keys, KMS key material origin, Single-region key
  5. Hit Next and fill in any Alias, Description or Tags you like, and any Key administrators, Key deletion or Key usage permissions you need to allocate
  6. Insert the following in the Key policy in the Statement section, using the appropriate Principal that you’ve also specified in your S3 bucket policy.
{
           "Sid": "KMS policy to allow CBC Data Forwarder",
           "Effect": "Allow",
           "Principal": {
               "AWS": "arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
           },
           "Action": [
               "kms:GenerateDataKey",
               "kms:Decrypt"
           ],
           "Resource": "*"
       }
Example of a complete KMS policy
{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*",
                    "arn:aws:iam::123456654321:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "KMS policy to allow CBC Data Forwarder",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "*"
        }
    ]
}
Configure KMS Encryption for your S3 Bucket
  1. Navigate to the AWS S3 service
  2. Search for a bucket by name and select the bucket
  3. From the Properties tab, scroll to Default Encryption and click Edit
  4. Enable Server-side encryption
  5. For Encryption key type, choose AWS Key Management Service key (SSE-KMS)
  6. For AWS KMS key, either Choose from your AWS KMS keys, or Enter AWS KMS key ARN
    1. If you choose to Enter AWS KMS key ARN, copy the ARN of the KMS key
    2. If you select Choose from your AWS KMS keys, select the forwarder key you created in steps 3-6
  7. Enable the Bucket Key
  8. Hit save to finalize KMS encryption for your bucket

Have questions or feedback?