====== Cloud Integration ======

<WRAP round info>
**Target audience:** Cloud Architects, DevOps \\
**Focus:** HSM integration, Secrets Management, Multi-Cloud
</WRAP>

Integration of PQ-enabled PKI with cloud HSM and secrets management services.

----

===== Overview =====

<mermaid>
flowchart TB
    subgraph ONPREM["ON-PREMISES"]
        CA[CA Server]
        HSM[HSM]
    end

    subgraph AZURE["AZURE"]
        AKV[Azure Key Vault]
        AHSM[Managed HSM]
    end

    subgraph AWS["AWS"]
        ACM[AWS Certificate Manager]
        KMS[AWS KMS]
        CHSM[CloudHSM]
    end

    subgraph MULTI["MULTI-CLOUD"]
        HV[HashiCorp Vault]
    end

    CA --> AKV & ACM & HV
    HSM -.->|Backup| AHSM & CHSM
    HV --> AZURE & AWS

    style HV fill:#e8f5e9
    style AKV fill:#e3f2fd
    style ACM fill:#fff3e0
</mermaid>

----

===== Cloud Provider Comparison =====

| Feature | Azure Key Vault | AWS KMS | HashiCorp Vault |
|---------|-----------------|---------|-----------------|
| **HSM FIPS 140-2** | Level 3 (Managed HSM) | Level 3 (CloudHSM) | Level 2 (Transit) |
| **PQ Support** | Not yet | Not yet | Via plugins |
| **Cert Management** | Native | ACM | PKI Engine |
| **Multi-Cloud** | No | No | Yes |
| **Cost** | Medium | High (CloudHSM) | Open Source + Enterprise |

----

===== Scenarios =====

^  Scenario  ^  Cloud  ^  HSM Type  ^
| [[.:azure-keyvault|Azure Key Vault]] | Azure | Managed HSM |
| [[.:aws-kms|AWS KMS + CloudHSM]] | AWS | CloudHSM |
| [[.:hashicorp-vault|HashiCorp Vault]] | Multi-Cloud | Transit SE |

----

===== Decision Tree =====

<mermaid>
flowchart TD
    A[Cloud HSM needed?] --> B{Primary cloud?}
    B -->|Azure| C[Azure Key Vault]
    B -->|AWS| D[AWS KMS/CloudHSM]
    B -->|Multi-Cloud| E[HashiCorp Vault]
    B -->|On-Prem + Cloud| F[Vault + Cloud Integration]

    C --> G{FIPS Level 3?}
    G -->|Yes| H[Managed HSM]
    G -->|No| I[Standard Key Vault]

    D --> J{Budget?}
    J -->|High| K[CloudHSM]
    J -->|Medium| L[KMS]

    style E fill:#e8f5e9
    style H fill:#e3f2fd
    style K fill:#fff3e0
</mermaid>

----

===== Hybrid Strategy =====

<WRAP round tip>
**Recommendation:** On-premises Root CA + Cloud Intermediate for cloud workloads
</WRAP>

| Component | Location | Rationale |
|-----------|----------|-----------|
| Root CA | On-premises (HSM) | Highest security |
| Intermediate (Cloud) | Azure/AWS/Vault | Proximity to workloads |
| End Entity | Cloud | Auto-provisioning |
| Backup | Multi-Cloud | Disaster recovery |

----

===== Related Documentation =====

  * [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] - K8s integration
  * [[..:disaster-recovery:ca-backup-restore|CA Backup]] - Cross-cloud backup
  * [[en:int:pqcrypt:administrator:konfiguration|Configuration]] - OpenSSL setup

----

<< [[..:start|<- Operator Scenarios]] | [[.:azure-keyvault|-> Azure Key Vault]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>cloud azure aws vault hsm operator}}