You can view CMK access in AWS CloudTrail in a customer's AWS account by tracking the Clumio KMS activities.
Clumio KMS activities have the following user names:
-
'KMS-backup': Used during backup operations
-
'KMS-post-processing': Used during the post-processing work (FLI) operations
-
'KMS-restore': Used during restore operations
-
'daebaksrv-S3Backup': Used during S3 backup operations
Any operations performed on the Clumio CMK apart from the above usernames should be reported and analyzed thoroughly by your security team.
-
Log into your AWS account where the KMS key is hosted for encrypting backups stored in Clumio.
-
Go to the CloudTrail service.
-
In the left navigation pane, go to Event History.
-
Under Lookup attributes, select the User name attribute, enter the Clumio KMS activity user name you want to view, and then refresh the list.
