Parsing CloudTrail logs to check CMK activities
The CMK access can be viewed in the CloudTrail in a customer's AWS account by tracking Clumio KMS activities with the following usernames:
- 'KMS-backup' - Used during backup operations
- 'KMS-post-processing' - Used during post-processing work (FLI) operations
- 'KMS-restore' -Used during restore operations
- 'daebaksrv-S3Backup' - Used specifically during S3 backup operations
Any operations performed on the Clumio CMK apart from the above usernames should be reported and analyzed thoroughly by your security team.
- Log into your AWS account where the KMS key is hosted for encrypting backups stored in Clumio.
- Navigate to the CloudTrail service.
- From the left navigation pane of the CloudTrail service, select the 'Event History' tab to check the CloudTrail events.
- Filter the Event History lookup attributes with the User Name attribute.
- Choose one of the User Name shared above to capture the CMK activities performed by Clumio on the shared KMS key.
Please reach out to email@example.com with any questions.