====== AWS KMS + CloudHSM ======
**Oblak:** Amazon Web Services \\
**HSM nivo:** FIPS 140-2 Nivo 3 (CloudHSM) / Nivo 2 (KMS) \\
**PQ podpora:** Še ni na voljo (stanje 2024)
Integracija AWS Key Management Service in CloudHSM za PKI operacije.
----
===== Arhitektura =====
flowchart TB
subgraph AWS["AWS"]
subgraph KMS["KMS"]
K[Customer Managed Keys]
AK[AWS Managed Keys]
end
subgraph CHSM["CloudHSM gruča"]
H1[HSM 1]
H2[HSM 2]
end
subgraph ACM["Certificate Manager"]
PC[Private CA]
C[Certifikati]
end
subgraph APPS["Aplikacije"]
EC2[EC2]
EKS[EKS]
Lambda[Lambda]
end
end
subgraph ONPREM["NA LOKACIJI"]
CA[Root CA]
end
CA -->|Navzkrižni podpis| PC
K --> APPS
PC --> C --> APPS
CHSM --> KMS
style KMS fill:#fff3e0
style CHSM fill:#e8f5e9
----
===== Nastavitev AWS KMS =====
==== Ustvarjanje CMK (Customer Managed Key) ====
# AWS CLI
aws kms create-key \
--description "PKI Signing Key" \
--key-usage SIGN_VERIFY \
--key-spec ECC_NIST_P384 \
--tags TagKey=Environment,TagValue=Production
# Ustvarjanje vzdevka
aws kms create-alias \
--alias-name alias/pki-signing-key \
--target-key-id
# Key Policy
aws kms put-key-policy \
--key-id \
--policy-name default \
--policy file://key-policy.json
// key-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow signing",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/PKI-Signing-Role"},
"Action": ["kms:Sign", "kms:Verify", "kms:GetPublicKey"],
"Resource": "*"
}
]
}
==== Podpisovanje s KMS ====
// C# - AWS SDK podpisovanje
using Amazon.KeyManagementService;
using Amazon.KeyManagementService.Model;
var kmsClient = new AmazonKeyManagementServiceClient();
// Podpisovanje podatkov
byte[] dataToSign = Encoding.UTF8.GetBytes("Document content");
byte[] digest = SHA384.HashData(dataToSign);
var signRequest = new SignRequest
{
KeyId = "alias/pki-signing-key",
Message = new MemoryStream(digest),
MessageType = MessageType.DIGEST,
SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384
};
SignResponse signResponse = await kmsClient.SignAsync(signRequest);
byte[] signature = signResponse.Signature.ToArray();
Console.WriteLine($"Podpis: {Convert.ToBase64String(signature)}");
// Preverjanje
var verifyRequest = new VerifyRequest
{
KeyId = "alias/pki-signing-key",
Message = new MemoryStream(digest),
MessageType = MessageType.DIGEST,
Signature = new MemoryStream(signature),
SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384
};
VerifyResponse verifyResponse = await kmsClient.VerifyAsync(verifyRequest);
Console.WriteLine($"Veljavno: {verifyResponse.SignatureValid}");
----
===== AWS CloudHSM =====
==== Ustvarjanje gruče ====
# Ustvarjanje CloudHSM gruče
aws cloudhsmv2 create-cluster \
--hsm-type hsm1.medium \
--subnet-ids subnet-12345678 subnet-87654321
# Dodajanje HSM v gručo
aws cloudhsmv2 create-hsm \
--cluster-id cluster-abc123 \
--availability-zone eu-central-1a
# Inicializacija gruče (zahteva CloudHSM odjemalca)
/opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg
# V CMU:
# > loginHSM PRECO admin password
# > changePswd PRECO admin
==== Generacija ključev v CloudHSM ====
# CloudHSM PKCS#11 generacija ključev
pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \
--login --pin \
--keypairgen --key-type EC:secp384r1 \
--label "ca-signing-key" \
--id 01
==== CloudHSM s KMS (Custom Key Store) ====
# Ustvarjanje Custom Key Store
aws kms create-custom-key-store \
--custom-key-store-name cloudhsm-keystore \
--cloud-hsm-cluster-id cluster-abc123 \
--trust-anchor-certificate file://customerCA.crt \
--key-store-password
# Povezovanje Key Store
aws kms connect-custom-key-store \
--custom-key-store-id cks-abc123
# Ustvarjanje ključa v Custom Key Store
aws kms create-key \
--origin AWS_CLOUDHSM \
--custom-key-store-id cks-abc123 \
--key-spec ECC_NIST_P384 \
--key-usage SIGN_VERIFY
----
===== AWS Certificate Manager Private CA =====
==== Ustvarjanje Private CA ====
# Konfiguracija CA
cat > ca-config.json << 'EOF'
{
"KeyAlgorithm": "EC_secp384r1",
"SigningAlgorithm": "SHA384WITHECDSA",
"Subject": {
"Country": "DE",
"Organization": "Example Organization",
"CommonName": "Example Private CA"
}
}
EOF
# Ustvarjanje Private CA
aws acm-pca create-certificate-authority \
--certificate-authority-configuration file://ca-config.json \
--certificate-authority-type SUBORDINATE \
--tags Key=Environment,Value=Production
# Generacija CSR
aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn \
--output text > ca.csr
# Podpis CSR s strani Root-CA (zunanje)
# ...
# Uvoz CA certifikata
aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn \
--certificate file://ca-cert.pem \
--certificate-chain file://chain.pem
==== Izdaja certifikata ====
# CSR za End-Entity
openssl req -new -key server.key -out server.csr \
-subj "/CN=server.example.com"
# Izdaja certifikata
aws acm-pca issue-certificate \
--certificate-authority-arn \
--csr fileb://server.csr \
--signing-algorithm SHA384WITHECDSA \
--validity Value=365,Type=DAYS \
--template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1
# Pridobitev certifikata
aws acm-pca get-certificate \
--certificate-authority-arn \
--certificate-arn \
--output text > server.pem
----
===== Integracija EKS =====
# IRSA (IAM Roles for Service Accounts)
# trust-policy.json
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:pki:cert-manager"
}
}
}]
}
# ServiceAccount za cert-manager
apiVersion: v1
kind: ServiceAccount
metadata:
name: cert-manager
namespace: pki
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/PKI-CertManager-Role
---
# ClusterIssuer za ACM Private CA
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: aws-pca-issuer
spec:
acmPrivateCA:
arn: arn:aws:acm-pca:eu-central-1:123456789012:certificate-authority/abc123
region: eu-central-1
----
===== Integracija Lambda =====
# lambda_function.py
import boto3
import base64
import hashlib
kms_client = boto3.client('kms')
def lambda_handler(event, context):
data = event['data'].encode('utf-8')
digest = hashlib.sha384(data).digest()
# Podpisovanje
sign_response = kms_client.sign(
KeyId='alias/pki-signing-key',
Message=digest,
MessageType='DIGEST',
SigningAlgorithm='ECDSA_SHA_384'
)
signature = base64.b64encode(sign_response['Signature']).decode()
return {
'statusCode': 200,
'signature': signature
}
----
===== Nadzor =====
# CloudWatch alarm za KMS
aws cloudwatch put-metric-alarm \
--alarm-name kms-signing-errors \
--metric-name Errors \
--namespace AWS/KMS \
--statistic Sum \
--period 300 \
--threshold 1 \
--comparison-operator GreaterThanOrEqualToThreshold \
--dimensions Name=KeyId,Value= \
--evaluation-periods 1 \
--alarm-actions arn:aws:sns:eu-central-1:123456789012:pki-alerts
----
===== Pregled stroškov =====
| Storitev | Stroški (pribl.) | Opomba |
|----------|------------------|--------|
| KMS CMK | $1/mesec + $0.03/10k zahtev | Standard |
| CloudHSM | ~$1.50/uro (~$1100/mesec) | Na HSM |
| ACM Private CA | $400/mesec + $0.75/certifikat | Na CA |
----
===== Kontrolni seznam =====
| # | Kontrolna točka | |
|---|-----------------|---|
| 1 | KMS ključ ustvarjen | |
| 2 | Key Policy konfigurirana | |
| 3 | IAM vloge ustvarjene | |
| 4 | CloudTrail aktiviran | |
| 5 | CloudWatch alarmi | |
| 6 | Strategija varnostnega kopiranja | |
----
===== Povezana dokumentacija =====
* [[.:azure-keyvault|Azure Key Vault]] – Alternativni oblak
* [[.:hashicorp-vault|HashiCorp Vault]] – Večoblačnost
* [[..:automatisierung:cert-manager-k8s|Kubernetes Cert-Manager]] – Integracija EKS
----
<< [[.:azure-keyvault|← Azure Key Vault]] | [[.:hashicorp-vault|→ HashiCorp Vault]] >>
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//
{{tag>aws kms cloudhsm acm cloud operator}}