====== AWS KMS + CloudHSM ======
**Cloud:** Amazon Web Services \\
**HSM razina:** FIPS 140-2 Level 3 (CloudHSM) / Level 2 (KMS) \\
**PQ podrška:** Još nije dostupna (stanje 2024)
Integracija AWS Key Management Service i CloudHSM za PKI operacije.
----
===== Arhitektura =====
flowchart TB
subgraph AWS["AWS"]
subgraph KMS["KMS"]
K[Customer Managed Keys]
AK[AWS Managed Keys]
end
subgraph CHSM["CloudHSM Cluster"]
H1[HSM 1]
H2[HSM 2]
end
subgraph ACM["Certificate Manager"]
PC[Private CA]
C[Certificates]
end
subgraph APPS["Applications"]
EC2[EC2]
EKS[EKS]
Lambda[Lambda]
end
end
subgraph ONPREM["ON-PREM"]
CA[Root CA]
end
CA -->|Cross-Sign| PC
K --> APPS
PC --> C --> APPS
CHSM --> KMS
style KMS fill:#fff3e0
style CHSM fill:#e8f5e9
----
===== AWS KMS postavljanje =====
==== Stvaranje CMK (Customer Managed Key) ====
# AWS CLI
aws kms create-key \
--description "PKI Signing Key" \
--key-usage SIGN_VERIFY \
--key-spec ECC_NIST_P384 \
--tags TagKey=Environment,TagValue=Production
# Stvaranje aliasa
aws kms create-alias \
--alias-name alias/pki-signing-key \
--target-key-id
# Key Policy
aws kms put-key-policy \
--key-id \
--policy-name default \
--policy file://key-policy.json
// key-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow signing",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/PKI-Signing-Role"},
"Action": ["kms:Sign", "kms:Verify", "kms:GetPublicKey"],
"Resource": "*"
}
]
}
==== Potpisivanje s KMS ====
// C# - AWS SDK potpisivanje
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
var kmsClient = new AmazonKeyManagementServiceClient();
// Potpisivanje podataka
byte[] dataToSign = Encoding.UTF8.GetBytes("Sadržaj dokumenta");
byte[] digest = SHA384.HashData(dataToSign);
var signRequest = new SignRequest
{
KeyId = "alias/pki-signing-key",
Message = new MemoryStream(digest),
MessageType = MessageType.DIGEST,
SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384
};
SignResponse signResponse = await kmsClient.SignAsync(signRequest);
byte[] signature = signResponse.Signature.ToArray();
Console.WriteLine($"Potpis: {Convert.ToBase64String(signature)}");
// Verifikacija
var verifyRequest = new VerifyRequest
{
KeyId = "alias/pki-signing-key",
Message = new MemoryStream(digest),
MessageType = MessageType.DIGEST,
Signature = new MemoryStream(signature),
SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384
};
VerifyResponse verifyResponse = await kmsClient.VerifyAsync(verifyRequest);
Console.WriteLine($"Valjano: {verifyResponse.SignatureValid}");
----
===== AWS CloudHSM =====
==== Stvaranje Clustera ====
# Stvaranje CloudHSM Clustera
aws cloudhsmv2 create-cluster \
--hsm-type hsm1.medium \
--subnet-ids subnet-12345678 subnet-87654321
# Dodavanje HSM-a u Cluster
aws cloudhsmv2 create-hsm \
--cluster-id cluster-abc123 \
--availability-zone eu-central-1a
# Inicijalizacija Clustera (zahtijeva CloudHSM Client)
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
# U CMU:
# > loginHSM PRECO admin password
# > changePswd PRECO admin
==== Generiranje ključa u CloudHSM ====
# CloudHSM PKCS#11 generiranje ključa
pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
--login --pin \
--keypairgen --key-type EC:secp384r1 \
--label "ca-signing-key" \
--id 01
==== CloudHSM s KMS (Custom Key Store) ====
# Stvaranje Custom Key Store
aws kms create-custom-key-store \
--custom-key-store-name cloudhsm-keystore \
--cloud-hsm-cluster-id cluster-abc123 \
--trust-anchor-certificate file://customerCA.crt \
--key-store-password
# Povezivanje Key Store
aws kms connect-custom-key-store \
--custom-key-store-id cks-abc123
# Stvaranje ključa u Custom Key Store
aws kms create-key \
--origin AWS_CLOUDHSM \
--custom-key-store-id cks-abc123 \
--key-spec ECC_NIST_P384 \
--key-usage SIGN_VERIFY
----
===== AWS Certificate Manager Private CA =====
==== Stvaranje Private CA ====
# Konfiguracija CA
cat > ca-config.json << 'EOF'
{
"KeyAlgorithm": "EC_secp384r1",
"SigningAlgorithm": "SHA384WITHECDSA",
"Subject": {
"Country": "HR",
"Organization": "Example Organization",
"CommonName": "Example Private CA"
}
}
EOF
# Stvaranje Private CA
aws acm-pca create-certificate-authority \
--certificate-authority-configuration file://ca-config.json \
--certificate-authority-type SUBORDINATE \
--tags Key=Environment,Value=Production
# Generiranje CSR
aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn \
--output text > ca.csr
# Potpisivanje CSR-a od Root CA (eksterno)
# ...
# Import CA certifikata
aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn \
--certificate file://ca-cert.pem \
--certificate-chain file://chain.pem
==== Izdavanje certifikata ====
# CSR za End-Entity
openssl req -new -key server.key -out server.csr \
-subj "/CN=server.example.com"
# Izdavanje certifikata
aws acm-pca issue-certificate \
--certificate-authority-arn \
--csr fileb://server.csr \
--signing-algorithm SHA384WITHECDSA \
--validity Value=365,Type=DAYS \
--template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1
# Dohvaćanje certifikata
aws acm-pca get-certificate \
--certificate-authority-arn \
--certificate-arn \
--output text > server.pem
----
===== EKS integracija =====
# IRSA (IAM Roles for Service Accounts)
# trust-policy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:pki:cert-manager"
}
}
}]
}
# ServiceAccount za cert-manager
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: pki
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/PKI-CertManager-Role
---
# ClusterIssuer za ACM Private CA
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: aws-pca-issuer
spec:
acmPrivateCA:
arn: arn:aws:acm-pca:eu-central-1:123456789012:certificate-authority/abc123
region: eu-central-1
----
===== Lambda integracija =====
# lambda_function.py
import boto3
import base64
import hashlib
kms_client = boto3.client('kms')
def lambda_handler(event, context):
data = event['data'].encode('utf-8')
digest = hashlib.sha384(data).digest()
# Potpisivanje
sign_response = kms_client.sign(
KeyId='alias/pki-signing-key',
Message=digest,
MessageType='DIGEST',
SigningAlgorithm='ECDSA_SHA_384'
)
signature = base64.b64encode(sign_response['Signature']).decode()
return {
'statusCode': 200,
'signature': signature
}
----
===== Nadzor =====
# CloudWatch Alarm za KMS
aws cloudwatch put-metric-alarm \
--alarm-name kms-signing-errors \
--metric-name Errors \
--namespace AWS/KMS \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--dimensions Name=KeyId,Value= \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:eu-central-1:123456789012:pki-alerts
----
===== Pregled troškova =====
| Servis | Troškovi (otpr.) | Napomena |
|--------|------------------|----------|
| KMS CMK | $1/mjesečno + $0.03/10k zahtjeva | Standard |
| CloudHSM | ~$1.50/sat (~$1100/mjesečno) | Po HSM-u |
| ACM Private CA | $400/mjesečno + $0.75/Cert | Po CA-u |
----
===== Kontrolna lista =====
| # | Točka provjere | Gotovo |
|---|----------------|--------|
| 1 | KMS ključ stvoren | ☐ |
| 2 | Key Policy konfigurirana | ☐ |
| 3 | IAM Roles stvorene | ☐ |
| 4 | CloudTrail aktiviran | ☐ |
| 5 | CloudWatch Alarmi | ☐ |
| 6 | Strategija sigurnosnog kopiranja | ☐ |
----
===== Povezana dokumentacija =====
* [[.:azure-keyvault|Azure Key Vault]] - Alternativni Cloud
* [[.:hashicorp-vault|HashiCorp Vault]] - Multi-Cloud
* [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] - EKS integracija
----
<< [[.:azure-keyvault|<- Azure Key Vault]] | [[.:hashicorp-vault|-> HashiCorp Vault]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>aws kms cloudhsm acm cloud operator}}