====== Cloud Integration ======

<WRAP round info>
**Zielgruppe:** Cloud-Architekten, DevOps \\
**Fokus:** HSM-Integration, Secrets Management, Multi-Cloud
</WRAP>

Integration der PQ-fähigen PKI mit Cloud-HSM und Secrets-Management-Diensten.

----

===== Übersicht =====

<mermaid>
flowchart TB
    subgraph ONPREM["🏢 ON-PREMISES"]
        CA[CA-Server]
        HSM[HSM]
    end

    subgraph AZURE["☁️ AZURE"]
        AKV[Azure Key Vault]
        AHSM[Managed HSM]
    end

    subgraph AWS["☁️ AWS"]
        ACM[AWS Certificate Manager]
        KMS[AWS KMS]
        CHSM[CloudHSM]
    end

    subgraph MULTI["☁️ MULTI-CLOUD"]
        HV[HashiCorp Vault]
    end

    CA --> AKV & ACM & HV
    HSM -.->|Backup| AHSM & CHSM
    HV --> AZURE & AWS

    style HV fill:#e8f5e9
    style AKV fill:#e3f2fd
    style ACM fill:#fff3e0
</mermaid>

----

===== Cloud-Provider Vergleich =====

| Feature | Azure Key Vault | AWS KMS | HashiCorp Vault |
|---------|-----------------|---------|-----------------|
| **HSM FIPS 140-2** | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| **PQ-Support** | ❌ Noch nicht | ❌ Noch nicht | ✓ Via Plugins |
| **Cert Management** | ✓ Native | ✓ ACM | ✓ PKI Engine |
| **Multi-Cloud** | ❌ | ❌ | ✓ |
| **Kosten** | Mittel | Hoch (CloudHSM) | Open Source + Enterprise |

----

===== Szenarien =====

^  Szenario  ^  Cloud  ^  HSM-Typ  ^
| [[.:azure-keyvault|Azure Key Vault]] | Azure | Managed HSM |
| [[.:aws-kms|AWS KMS + CloudHSM]] | AWS | CloudHSM |
| [[.:hashicorp-vault|HashiCorp Vault]] | Multi-Cloud | Transit SE |

----

===== Entscheidungsbaum =====

<mermaid>
flowchart TD
    A[Cloud-HSM benötigt?] --> B{Primäre Cloud?}
    B -->|Azure| C[Azure Key Vault]
    B -->|AWS| D[AWS KMS/CloudHSM]
    B -->|Multi-Cloud| E[HashiCorp Vault]
    B -->|On-Prem + Cloud| F[Vault + Cloud-Integration]

    C --> G{FIPS Level 3?}
    G -->|Ja| H[Managed HSM]
    G -->|Nein| I[Standard Key Vault]

    D --> J{Budget?}
    J -->|Hoch| K[CloudHSM]
    J -->|Mittel| L[KMS]

    style E fill:#e8f5e9
    style H fill:#e3f2fd
    style K fill:#fff3e0
</mermaid>

----

===== Hybrid-Strategie =====

<WRAP round tip>
**Empfehlung:** On-Premises Root-CA + Cloud Intermediate für Cloud-Workloads
</WRAP>

| Komponente | Location | Begründung |
|------------|----------|------------|
| Root-CA | On-Premises (HSM) | Höchste Sicherheit |
| Intermediate (Cloud) | Azure/AWS/Vault | Nähe zu Workloads |
| End-Entity | Cloud | Auto-Provisioning |
| Backup | Multi-Cloud | Disaster Recovery |

----

===== Verwandte Dokumentation =====

  * [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] – K8s Integration
  * [[..:disaster-recovery:ca-backup-restore|CA Backup]] – Cross-Cloud Backup
  * [[de:int:pqcrypt:administrator:konfiguration|Konfiguration]] – OpenSSL Setup

----

<< [[..:start|← Operator-Szenarien]] | [[.:azure-keyvault|→ Azure Key Vault]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>cloud azure aws vault hsm operator}}