IBM Cloud Docs
Integrating Event Notifications with other IBM Cloud services

Integrating Event Notifications with other IBM Cloud services

Integrations in Event Notifications represent a list of other IBM Cloud services that are connected to your Event Notifications instance. You can encrypt the data that you store in IBM Cloud databases by using encryption keys that you can control. For more information, see Integrating with Key Protect. You can also collect failed events and take appropriate action. For more information, see Collecting failed events.

Integrating with Key Protect

You can use customer-managed encryption keys through IBM Key Protect to encrypt your databases and backups with one of your own keys. Key Protect is available in two deployment options:

  • Key Protect Multi-Tenant (BYOK): A shared key management service that provides FIPS 140-2 Level 3 certified cloud-based hardware security modules (HSMs) for key protection. This option provides Bring Your Own Key (BYOK) capability.
  • Key Protect Dedicated (KYOK): A single-tenant key management service that provides dedicated FIPS 140-2 Level 3 certified HSMs with exclusive control over your encryption keys. This option provides Keep Your Own Key (KYOK) capability for enhanced security and compliance.

Both Key Protect deployment options are suitable alternatives to Hyper Protect Crypto Services (HPCS), which is being deprecated.

BYOK and KYOK capabilities are supported only for Event Notifications Standard plan.

For more information, see Managing encryption.

If you are using Event Notifications CLI or API to integrate with Key Protect, ensure that you have enabled authorization to grant access between services before integrating. For more information, see Using authorizations to grant access between services.

You can create and bring keys that are created by using Key Protect. To get started, you need Key Protect provisioned on your IBM Cloud account. You can choose either the Multi-Tenant or Dedicated deployment option based on your security and compliance requirements. For more information, see Provisioning a Key Protect instance.

  1. From your Event Notifications service instance dashboard, click Integrations. By default, a Key Protect entry is listed that can be edited to configure the Key Management option, connecting to your Event Notifications instance.

  2. From the overflow menu of the default entry, click Edit. This displays the Key Management side panel.

  3. For the Instance, select one of these options:

    • Create a new instance - Create a new instance of Key Protect. This takes you to the Key Protect provisioning page.
    • Choose existing instance - Select this option if you already have a Key Protect instance. Select the Service instance and Root key from the drop-down list.

  4. Click Save to apply the changes.

The updated Key Management information is listed in the Integrations dashboard.

By default, customer data is encrypted. You can use APIs, CLI, or the user interface to provide your own Key Protect details for data encryption. If you are using CLI or APIs, you need to get the default Key Protect integration ID through the List all integrations API. In case of default Key Protect integrations, except for the integration ID, all other values are empty. You need to use the integration ID to update the integration details with your own Key Protect details.

Using authorizations to grant access between services

Use IBM Cloud Identity and Access Management (IAM) to create or remove an authorization that grants one service access to another service. Use authorization delegation to automatically create access policies that grant access to dependent services.

Creating an authorization in the console

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Authorizations.

  2. Click Create.

  3. Select a source account.

    • If the source service that needs access to the target service is in this account, select This account.
    • If the source service that needs access to the target service is in a different account, select Other account. Then, enter the Account ID of the source account.

  4. Select a Source service as Event Notifications.

  5. Specify whether you want the authorization to be for all resources or Resources based on selected attributes, If you selected Resources based on selected attributes, then specify the Add attributes only source resource group or only source service instance.

  6. Select Key Protect as the Target service.

  7. For the target service, specify whether you want the authorization to be for all instances, only a specific instance in the account, or instances only in a certain resource group.

  8. Select a role to assign access to the source service that accesses the target service.

  9. Click Authorize.

Creating an authorization by using the CLI

To authorize a source service access a target service, run the ibmcloud iam authorization-policy-create command.

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.

The Terraform IBM Modules (TIM) for Event Notifications provides a comprehensive example that demonstrates provisioning an Event Notifications instance, a Key Protect instance with a root key, authorization between these services, and creating an integration between them. These Terraform IBM Modules (TIM) are pre-built, open-source, and enterprise-ready that follow IBM Cloud security best practices.