IBM Cloud Docs
Integrating Event Notifications with other IBM Cloud services

Integrating Event Notifications with other IBM Cloud services

Integrations in Event Notifications represent list of other IBM Cloud services that are connected to your Event Notifications instance. You can encrypt the data that you store in IBM Cloud databases by using encryption keys that you can control. For more information, see Integrating with a Key management service. You can also collect failed events and take appropriate action. For more information, see Collecting failed events.

Integrating with a Key management service

You can use either one of the following options:

  • Bring Your Own Key (BYOK) through IBM Key Protect, and use one of your own keys to encrypt your databases and backups.
  • Hyper Protect Crypto Services (HPCS) - IBM Cloud® Hyper Protect Crypto Services, a dedicated key management service, and Hardware Security Module (HSM) that provides you with the Keep Your Own Key capability for cloud data encryption with exclusive control of your encryption keys.

BYOK and KYOK capabilities are supported only for Event Notifications Standard plan.

For more information, see Managing encryption.

If you are using Event Notifications CLI or API to integrate with a key management service (KMS), ensure that you have enabled authorization to grant access between services before integrating with a KMS service. For more information, see Using authorizations to grant access between services.

You can create and bring keys that are created by using Key Protect or Hyper Protect Crypto Services. To get started, you need Key Protect or Hyper Protect Crypto Services provisioned on your IBM Cloud account. For more information, see provisioning a key protect instance or see provisioning a Hyper Protect Crypto Services instance.

  1. From your Event Notifications service instance dashboard, click Integrations. By default, a Key Protect entry is listed, that can be edited to configure the Key Management option of your choice, connecting to your Event Notifications instance.

  2. From Overflow menu of the default entry, click Edit. This displays the Key Management side panel.

  3. Select Key Protect or Hyper Protect Crypto Services from the Service drop-down list, as per your requirement.

  4. For the Instance, select one of these options:

    • Create a new instance - to create a new instance of the selected service. This will take you to the respective provisioning page of the service selected.
    • Choose existing instance - select this option if you already have a Key Protect or Hyper Protect Crypto Services instance. Select the Service instance and Root key from the drop-down list.
  5. Click Save to apply the changes.

The updated Key Management information is listed in the Integrations dashboard.

By default customer data is encrypted. You can user APIs, CLI, or User Interface to provide your own KMS details for data encryption. If you are using CLI or APIs then you need to get default KMS integration ID through List all integrations API. In case of default KMS integrations except integration ID all other values are empty. You need to use the integration ID to update the integration details with your own KMS details.

Using authorizations to grant access between services

Use IBM Cloud Identity and Access Management (IAM) to create or remove an authorization that grants one service access to another service. Use authorization delegation to automatically create access policies that grant access to dependent services.

Creating an authorization in the console

  1. In the IBM Cloud console, click Manage > Access (IAM), and select Authorizations.

  2. Click Create.

  3. Select a source account.

    • If the source service that needs access to the target service is in this account, select This account.
    • If the source service that needs access to the target service is in a different account, select Other account. Then, enter the Account ID of the source account.
  4. Select a Source service as Event Notifications.

  5. Specify whether you want the authorization to be for all resources or Resources based on selected attributes, If you selected Resources based on selected attributes, then specify the Add attributes only source resource group or only source service instance.

  6. Select a Target service as per your requirement (Key Protect or Hyper Protect Crypto Services).

  7. For the target service, specify whether you want the authorization to be for all instances, only a specific instance in the account, or instances only in a certain resource group.

  8. Select a role to assign access to the source service that accesses the target service.

  9. Click Authorize.

Creating an authorization by using the CLI

To authorize a source service access a target service, run the ibmcloud iam authorization-policy-create command.

For more information about all of the parameters that are available for this command, see ibmcloud iam authorization-policy-create.