How it works?
Amazon S3 buckets
- Enable Blancco integration to target AWS environment (see "Initial setup" section).
- Login here.
- Select S3 bucket to be erased.
- Blancco will delete all data in the S3 bucket, and schedule deletion of all associated AWS KMS Customer Master Keys (CMK). !
- Associated key means a key which was used to encrypt an object version in target S3 bucket.
- AWS deletes CMKs after 7 days pending time.
- State of erasure can be viewed after login.
- Blancco monitors progress of key deletion.
- After 7 days Blancco can confirm successful deletion of CMKs and creates erasure report.
- Each object version has two possible verification levels:
- Verification level erasure (Crypto Erasure) when object version was encrypted with CMK which was deleted by Blancco.
- Verification level delete (normal deletion) when object version was not encrypted with CMK.
Amazon EBS volumes
- Enable Blancco integration to target AWS environment (see "Initial setup" section).
- Login here.
- Select AWS region where you want to erase EBS volumes.
- Select EBS volume(s) to be erased.
- Blancco will erase the selected EBS volume(s) and you will be able to see the status of the erasure.
Access policy of integration role
The access policy follows the
least privilege principle and the role is assumable only by Blancco.
Read-only integration level
Erasure integration level
KMS access
- kms:CreateGrant
- kms:DescribeKey
- kms:DisableKey
- kms:ScheduleKeyDeletion
- kms:CreateKey
- kms:TagResource
- kms:CreateAlias
S3 access
- s3:ListAllMyBuckets
- s3:GetBucketLocation
- s3:GetEncryptionConfiguration
S3 access
- s3:ListAllMyBuckets
- s3:GetEncryptionConfiguration
- s3:ListBucket
- s3:ListBucketVersions
- s3:GetObjectVersion
- s3:DeleteObject*
- s3:DeleteBucket*
- s3:CreateBucket
- s3:PutBucketTagging
- s3:PutEncryptionConfiguration
IAM access
- iam:GetRole
- iam:ListRolePolicies
IAM access
- iam:GetRole
- iam:ListRolePolicies
EC2 access
These permissions are allowed when
EnableEbsEraser is enabled:
- ec2:AttachVolume
- ec2:CreateTags
- ec2:DescribeInstanceStatus
- ec2:DescribeRegions
- ec2:DescribeVolumes
- ec2:DetachVolume
- ec2:RunInstances
- ec2:TerminateInstances
If
RestrictToBuckets is set, then actions are restricted to only that buckets (excluding
ListAllMyBuckets).
Otherwise, access is allowed to all resources.
Limitations
This is a prototype implementation and it has following known limitations:
- One target AWS account can have only one Blancco integration role.