Target AWS account
Blancco Management Portal username
Blancco Management Portal password

2023-02-27
New features:
  • New web address: https://bcse.cis.blancco.cloud/
  • Bucket creation wizard - Create easily new KMS CMK encrypted buckets which will be supported by Blancco Cloud Storage Eraser
  • KMS CMK key sharing warning - Indicate if the same KMS CMK is set as the default encryption key for 2 or more buckets
  • UI has been improved with better utilization of the screen space and responsiveness
  • Added support for:
    • Empty buckets
    • Buckets with data encrypted with AWS managed KMS key (erasure level: deletion)
  • CloudFormation stack parameter changes:
    • IntegrationLevel changed to S3IntegrationLevel
    • RestrictToBucket changed to RestrictToBuckets (supports now multiple buckets)
Please re-create the Blancco integration AWS CloudFormation stack, or update the existing stack with this template in order to use Blancco Cloud Storage Eraser.
2022-12-19
New features:
  • New module for Amazon EBS volume erasure
  • New parameter in the integration template to include/exclude permission for EBS erasure: EnableEbsEraser
  • Amazon S3 Eraser provides functionality to monitor content in a bucket and alert about deviations in object encryption
  • Amazon S3 Eraser displays information about bucket encryption configuration

To be able to use Blancco Cloud Storage Eraser you need first to enable Blancco integration to target AWS environment.
  • Create new CloudFormation stack which creates an IAM role for Blancco. The link to the CloudFormation template you can find below.
  • You can define a set of permissions that are allowed for Blancco Cloud Storage Eraser using the template parameter S3IntegrationLevel. There are two options - 'erasure' and 'read-only'. You can read more about access policies that are used by each S3IntegrationLevel value in the section 'How Blancco Cloud Storage Eraser works?' below.
  • To be able to use abilities of EBS Eraser you have to turn it on using EnableEbsEraser parameter.
  • Optionally, set template parameter RestrictToBuckets to allow erasure access only to specific S3 buckets.

or create stack manually with this template.

How it works?

Amazon S3 buckets

  1. Enable Blancco integration to target AWS environment (see "Initial setup" section).
  2. Login here.
  3. Select S3 bucket to be erased.
  4. Blancco will delete all data in the S3 bucket, and schedule deletion of all associated AWS KMS Customer Master Keys (CMK). !
    • Associated key means a key which was used to encrypt an object version in target S3 bucket.
  5. AWS deletes CMKs after 7 days pending time.
  6. State of erasure can be viewed after login.
    • Blancco monitors progress of key deletion.
  7. After 7 days Blancco can confirm successful deletion of CMKs and creates erasure report.
    • Each object version has two possible verification levels:
      • Verification level erasure (Crypto Erasure) when object version was encrypted with CMK which was deleted by Blancco.
      • Verification level delete (normal deletion) when object version was not encrypted with CMK.

Amazon EBS volumes

  1. Enable Blancco integration to target AWS environment (see "Initial setup" section).
  2. Login here.
  3. Select AWS region where you want to erase EBS volumes.
  4. Select EBS volume(s) to be erased.
  5. Blancco will erase the selected EBS volume(s) and you will be able to see the status of the erasure.

Access policy of integration role

The access policy follows the least privilege principle and the role is assumable only by Blancco.

Read-only integration level

Erasure integration level

KMS access
  • kms:DescribeKey
KMS access
  • kms:CreateGrant
  • kms:DescribeKey
  • kms:DisableKey
  • kms:ScheduleKeyDeletion
  • kms:CreateKey
  • kms:TagResource
  • kms:CreateAlias
CloudTrail access
  • cloudtrail:LookupEvents
CloudTrail access
  • cloudtrail:LookupEvents
S3 access
  • s3:ListAllMyBuckets
  • s3:GetBucketLocation
  • s3:GetEncryptionConfiguration
S3 access
  • s3:ListAllMyBuckets
  • s3:GetEncryptionConfiguration
  • s3:ListBucket
  • s3:ListBucketVersions
  • s3:GetObjectVersion
  • s3:DeleteObject*
  • s3:DeleteBucket*
  • s3:CreateBucket
  • s3:PutBucketTagging
  • s3:PutEncryptionConfiguration
IAM access
  • iam:GetRole
  • iam:ListRolePolicies
IAM access
  • iam:GetRole
  • iam:ListRolePolicies
EC2 access
  • ec2:DescribeRegions
EC2 access
These permissions are allowed when EnableEbsEraser is enabled:
  • ec2:AttachVolume
  • ec2:CreateTags
  • ec2:DescribeInstanceStatus
  • ec2:DescribeRegions
  • ec2:DescribeVolumes
  • ec2:DetachVolume
  • ec2:RunInstances
  • ec2:TerminateInstances
If RestrictToBuckets is set, then actions are restricted to only that buckets (excluding ListAllMyBuckets). Otherwise, access is allowed to all resources.

Limitations

This is a prototype implementation and it has following known limitations:
  • One target AWS account can have only one Blancco integration role.

THE EVALUATION SOFTWARE IS PROVIDED "AS IS," WITHOUT WARRANTY OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. BLANCCO DOES NOT WARRANT THAT THE CUSTOMER’S USE OF THE EVALUATION SOFTWARE WILL BE UNINTERRUPTED, BUG OR ERROR FREE. ANY USE OF EVALUATION SOFTWARE IS ENTIRELY AT CUSTOMER’S OWN RISK AND BLANCCO WILL NOT BE LIABLE FOR ANY LOSS OF DATA OR DAMAGE TO DATA AND/OR ANY SYSTEMS. THE CUSTOMER MAY HAVE OTHER STATUTORY RIGHTS, HOWEVER, TO THE FULL EXTENT PERMITTED BY LAW, THE DURATION AND SCOPE OF STATUTORILY REQUIRED WARRANTIES, IF ANY, SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED. WHERE LEGAL LIABILITY CANNOT BE EXCLUDED, BUT MAY BE LIMITED, BLANCCO’S LIABILITY SHALL BE LIMITED TO THE SUM OF 1000 (THOUSAND) US DOLLARS OR THE EQUIVALENT IN LOCAL CURRENCY IN AGGREGATE.