Use this procedure to create a Customer Managed Key (CMK) for AWS Key Management Service (KMS). This is the first of two procedures to KMS-encrypt the S3 buckets used with Carbon Black Cloud Data Forwarder.

Procedure

  1. Navigate to the AWS Key Management Service KMS.
  2. On the left side panel of the AWS Console, navigate to KMS / Customer managed keys, and click Create key.
    The create key panel
  3. Select Symmetric. Under Advanced options, make sure the default options are selected:
    • Key material origin = KMS
    • Regionality = Single-Region key

    Then click Next.

  4. Type an Alias for the KMS key, such as, s3-cmk-data-forwarder, and click Next.
  5. Specify the users or roles as the key administrators, and then click Next.
  6. Specify the users or roles as grantee for the key, and then click Next.
  7. Review the resource policy generated for your key. In the Statement section of the Key policy, append the text with the following: 
    {
           "Sid": "KMS policy to allow CBC Data Forwarder",
           "Effect": "Allow",
           "Principal": {
               "AWS":
"arn:aws:iam::132308400445:role/mcs-psc-prod-event-forwarder-us-east-1-event-forwarder"
           },
           "Action": [
               "kms:GenerateDataKey",
               "kms:Decrypt"
           ],
           "Resource": "*"
       }

    For example, in the image that follows, you can see the code snippet above appended to the default policy statement generated by AWS when creating a new KMS key through the AWS UI.

    Example of a code snippet appended to the default AWS policy statement
    Note: In the example above, keep in mind that the "Principal" is not the same for all users.

    For more information about the "Principal" value, see step 4 of Configure the Bucket Policy to Allow Access.

    Click Finish.

What to do next

You must now configure the S3 bucket to enable server-side encryption (SSE) using AWS KMS. See: Configure KMS Encryption for Your S3 Bucket