Inhaltsverzeichnis
AWS KMS + CloudHSM
Cloud: Amazon Web Services
HSM razina: FIPS 140-2 Level 3 (CloudHSM) / Level 2 (KMS)
PQ podrška: Još nije dostupna (stanje 2024)
Integracija AWS Key Management Service i CloudHSM za PKI operacije.
Arhitektura
flowchart TB
subgraph AWS["AWS"]
subgraph KMS["KMS"]
K[Customer Managed Keys]
AK[AWS Managed Keys]
end
subgraph CHSM["CloudHSM Cluster"]
H1[HSM 1]
H2[HSM 2]
end
subgraph ACM["Certificate Manager"]
PC[Private CA]
C[Certificates]
end
subgraph APPS["Applications"]
EC2[EC2]
EKS[EKS]
Lambda[Lambda]
end
end
subgraph ONPREM["ON-PREM"]
CA[Root CA]
end
CA -->|Cross-Sign| PC
K --> APPS
PC --> C --> APPS
CHSM --> KMS
style KMS fill:#fff3e0
style CHSM fill:#e8f5e9
AWS KMS postavljanje
Stvaranje CMK (Customer Managed Key)
# AWS CLI aws kms create-key \ --description "PKI Signing Key" \ --key-usage SIGN_VERIFY \ --key-spec ECC_NIST_P384 \ --tags TagKey=Environment,TagValue=Production # Stvaranje aliasa aws kms create-alias \ --alias-name alias/pki-signing-key \ --target-key-id <key-id> # Key Policy aws kms put-key-policy \ --key-id <key-id> \ --policy-name default \ --policy file://key-policy.json
// key-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow signing",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/PKI-Signing-Role"},
"Action": ["kms:Sign", "kms:Verify", "kms:GetPublicKey"],
"Resource": "*"
}
]
}
Potpisivanje s KMS
// C# - AWS SDK potpisivanje using Amazon.KeyManagementService; using Amazon.KeyManagementService.Model; var kmsClient = new AmazonKeyManagementServiceClient(); // Potpisivanje podataka byte[] dataToSign = Encoding.UTF8.GetBytes("Sadržaj dokumenta"); byte[] digest = SHA384.HashData(dataToSign); var signRequest = new SignRequest { KeyId = "alias/pki-signing-key", Message = new MemoryStream(digest), MessageType = MessageType.DIGEST, SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384 }; SignResponse signResponse = await kmsClient.SignAsync(signRequest); byte[] signature = signResponse.Signature.ToArray(); Console.WriteLine($"Potpis: {Convert.ToBase64String(signature)}"); // Verifikacija var verifyRequest = new VerifyRequest { KeyId = "alias/pki-signing-key", Message = new MemoryStream(digest), MessageType = MessageType.DIGEST, Signature = new MemoryStream(signature), SigningAlgorithm = SigningAlgorithmSpec.ECDSA_SHA_384 }; VerifyResponse verifyResponse = await kmsClient.VerifyAsync(verifyRequest); Console.WriteLine($"Valjano: {verifyResponse.SignatureValid}");
AWS CloudHSM
Stvaranje Clustera
# Stvaranje CloudHSM Clustera aws cloudhsmv2 create-cluster \ --hsm-type hsm1.medium \ --subnet-ids subnet-12345678 subnet-87654321 # Dodavanje HSM-a u Cluster aws cloudhsmv2 create-hsm \ --cluster-id cluster-abc123 \ --availability-zone eu-central-1a # Inicijalizacija Clustera (zahtijeva CloudHSM Client) /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg # U CMU: # > loginHSM PRECO admin password # > changePswd PRECO admin <new-password>
Generiranje ključa u CloudHSM
# CloudHSM PKCS#11 generiranje ključa pkcs11-tool --module /opt/cloudhsm/lib/libcloudhsm_pkcs11.so \ --login --pin <CU-password> \ --keypairgen --key-type EC:secp384r1 \ --label "ca-signing-key" \ --id 01
CloudHSM s KMS (Custom Key Store)
# Stvaranje Custom Key Store aws kms create-custom-key-store \ --custom-key-store-name cloudhsm-keystore \ --cloud-hsm-cluster-id cluster-abc123 \ --trust-anchor-certificate file://customerCA.crt \ --key-store-password <kmsuser-password> # Povezivanje Key Store aws kms connect-custom-key-store \ --custom-key-store-id cks-abc123 # Stvaranje ključa u Custom Key Store aws kms create-key \ --origin AWS_CLOUDHSM \ --custom-key-store-id cks-abc123 \ --key-spec ECC_NIST_P384 \ --key-usage SIGN_VERIFY
AWS Certificate Manager Private CA
Stvaranje Private CA
# Konfiguracija CA cat > ca-config.json << 'EOF' { "KeyAlgorithm": "EC_secp384r1", "SigningAlgorithm": "SHA384WITHECDSA", "Subject": { "Country": "HR", "Organization": "Example Organization", "CommonName": "Example Private CA" } } EOF # Stvaranje Private CA aws acm-pca create-certificate-authority \ --certificate-authority-configuration file://ca-config.json \ --certificate-authority-type SUBORDINATE \ --tags Key=Environment,Value=Production # Generiranje CSR aws acm-pca get-certificate-authority-csr \ --certificate-authority-arn <ca-arn> \ --output text > ca.csr # Potpisivanje CSR-a od Root CA (eksterno) # ... # Import CA certifikata aws acm-pca import-certificate-authority-certificate \ --certificate-authority-arn <ca-arn> \ --certificate file://ca-cert.pem \ --certificate-chain file://chain.pem
Izdavanje certifikata
# CSR za End-Entity openssl req -new -key server.key -out server.csr \ -subj "/CN=server.example.com" # Izdavanje certifikata aws acm-pca issue-certificate \ --certificate-authority-arn <ca-arn> \ --csr fileb://server.csr \ --signing-algorithm SHA384WITHECDSA \ --validity Value=365,Type=DAYS \ --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 # Dohvaćanje certifikata aws acm-pca get-certificate \ --certificate-authority-arn <ca-arn> \ --certificate-arn <cert-arn> \ --output text > server.pem
EKS integracija
# IRSA (IAM Roles for Service Accounts) # trust-policy.json { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.eu-central-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E:sub": "system:serviceaccount:pki:cert-manager" } } }] }
# ServiceAccount za cert-manager apiVersion: v1 kind: ServiceAccount metadata: name: cert-manager namespace: pki annotations: eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/PKI-CertManager-Role --- # ClusterIssuer za ACM Private CA apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: aws-pca-issuer spec: acmPrivateCA: arn: arn:aws:acm-pca:eu-central-1:123456789012:certificate-authority/abc123 region: eu-central-1
Lambda integracija
# lambda_function.py import boto3 import base64 import hashlib kms_client = boto3.client('kms') def lambda_handler(event, context): data = event['data'].encode('utf-8') digest = hashlib.sha384(data).digest() # Potpisivanje sign_response = kms_client.sign( KeyId='alias/pki-signing-key', Message=digest, MessageType='DIGEST', SigningAlgorithm='ECDSA_SHA_384' ) signature = base64.b64encode(sign_response['Signature']).decode() return { 'statusCode': 200, 'signature': signature }
Nadzor
# CloudWatch Alarm za KMS aws cloudwatch put-metric-alarm \ --alarm-name kms-signing-errors \ --metric-name Errors \ --namespace AWS/KMS \ --statistic Sum \ --period 300 \ --threshold 1 \ --comparison-operator GreaterThanOrEqualToThreshold \ --dimensions Name=KeyId,Value=<key-id> \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:eu-central-1:123456789012:pki-alerts
Pregled troškova
| Servis | Troškovi (otpr.) | Napomena |
| ——– | —————— | ———- |
| KMS CMK | $1/mjesečno + $0.03/10k zahtjeva | Standard |
| CloudHSM | ~$1.50/sat (~$1100/mjesečno) | Po HSM-u |
| ACM Private CA | $400/mjesečno + $0.75/Cert | Po CA-u |
Kontrolna lista
| # | Točka provjere | Gotovo |
| — | —————- | ——– |
| 1 | KMS ključ stvoren | ☐ |
| 2 | Key Policy konfigurirana | ☐ |
| 3 | IAM Roles stvorene | ☐ |
| 4 | CloudTrail aktiviran | ☐ |
| 5 | CloudWatch Alarmi | ☐ |
| 6 | Strategija sigurnosnog kopiranja | ☐ |
Povezana dokumentacija
- Azure Key Vault - Alternativni Cloud
- HashiCorp Vault - Multi-Cloud
- Kubernetes Cert-Manager - EKS integracija
« <- Azure Key Vault | -> HashiCorp Vault »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: 30.01.2026. u 01:36
