Fortanix DSM - AWS Key Management Service CDC Group Setup - Using Easy Wizard

  • Updated on Sep 25, 2024
  • Published on Jun 7, 2024
  • 8 minute(s) read

Welcome to the () Amazon Web Services (AWS) (CDC) Setup Guide. This article describes how to automatically setup a CDC group for AWS KMS using Fortanix DSM easy wizard integration.

The Fortanix solution for AWS Key Management Service (KMS) offers complete Cloud Native Key Management Service (CNKMS), Bring Your Own Key (), and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.

This article will walk you through setting up a CDC group that will be used for both CNKMS and BYOK workflows.

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, refer to the Fortanix DSM - Cloud Data Control - Getting Started.

For BYOKMS using AWS External Key Store (XKS), refer to the Fortanix DSM with AWS External Key Store.

Create an account in Fortanix DSM if you do not have one already. For more information, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI guide.

The following section describes the workflow to configure Fortanix DSM to interact with the AWS KMS. An AWS CDC group is automatically created in the Fortanix DSM account using the easy wizard integration, and this group is configured to interact with the AWS KMS.

To configure the AWS CDC group, the following are the AWS KMS permissions that the AWS Identity and Access Management (IAM) users must have to authenticate the Fortanix DSM group with AWS KMS.

LIST Permissions:

  • ListKeys

  • ListKeyPolicies

  • ListRetirableGrants

  • ListAliases

  • ListGrants

  • ListResourceTags

  • ListResourceTagsd

READ Permissions:

  • DescribeKey

  • GetPublicKey

  • GetKeyRotationStatus

  • GetKeyPolicy

  • GetParametersForImport

WRITE Permissions:

  • CreateKey

  • ImportKeyMaterial

  • DeleteImportedKeyMaterial

  • EnableKey

  • DisableKey

  • ScheduleKeyDeletion

  • CancelKeyDeletion

  • EnableKeyRotation

  • DisableKeyRotation

  • CreateAlias

  • DeleteAlias

  • UpdateAlias

  • PutKeyPolicy

  • GenerateDataKey

  • TagResource

  • UntagResource

  • CreateGrant

  • RetireGrant

  • RevokeGrant

  1. Navigate to the Integrations menu item in the DSM left navigation bar and select the Cloud Key Management/BYOK filter to filter the wizards for Cloud Key Management/BYOK.

  2. On the AWS BYOK wizard, click ADD INSTANCE to add a new AWS BYOK.

  3. Enter the following details:

    1. Enter a name for the AWS BYOK instance.

    2. Select the aws option as the cloud provider to export your key.

      NOTE

      The Fortanix DSM 4.14 release only supports AWS as the cloud provider. Future releases of Fortanix DSM will also support other cloud providers.

    3. In the Choose Region field, select the AWS region from which the keys should be imported. 
      If you are a United States (US) government employee, you can choose from the following AWS GovCloud regions:

      • AWS GovCloud (US-East)

      • AWS GovCloud (US-West)

      When you select an AWS GovCloud region, then the AWS BYOK key upload operations are executed against the KMS in that region and the uploaded keys will appear usable by AWS GovCloud.

      NOTE

      To use AWS GovCloud for the US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Refer to the Cloud Providers' documentation about access to these environments.

    4. Enter the AWS KMS Service Account Credentials: 

      • URL: The URL of the AWS region gets auto-populated based on the region selected. This is an editable field, so a user can also add a custom URL of the AWS region. In the case of a custom URL, the URL label will change to URL (Custom).

      • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY: The Access Key and Secret Access Key are used for accessing the AWS services. Each AWS account has its unique login credentials; Fortanix DSM should allows you to log in and securely save AWS credentials to do native cloud key management and offline automation such as automatic key rotation based on a set schedule and so on. For more information on obtaining AWS credentials, refer to AWS documentation.

    5. Add TLS configuration (optional). For more details, refer to Section 4.3: Add TLS Configuration (Optional).

    6. Click TEST CONNECTION to test your AWS KMS connection. If Fortanix DSM can connect to your AWS using your connection details, then it shows the status as “Connected” with a green tick  AWS_43a.png. Otherwise, it shows the status as “Not Connected” with a yellow warning sign  AWS_44a.png . 

    7. Click SAVE INSTANCE to save your instance.
      Saving the instance will automatically create the following:

      • A new AWS CDC group for the selected region.

      • A new instance in the instance table.

  4. In the instance table:

    1. Click MANAGE KEYS to go to the Security Objects tab of the AWS CDC group.

    2. Click SYNC KEYS to go to the HSM/KMS tab of the AWS CDC group. For more details refer to Section 4.4: HSM/KMS Tab.

In the TLS Configuration section, click + ADD AUTHENTICATION CERTIFICATE to add a certificate for authenticating the AWS KMS. Fortanix's external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with AWS KMS.

  1. Select the Validate Host check box to check if the certificate that the AWS KMS provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.

  2. You can select either of the following certificates:

    • Global Root CAs - Use this certificate if you are using a certificate that is signed by a well-known public CA. By default, every AWS CDC Group is configured with a Global Root CA Certificate.

    • Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA Certificate with a Custom CA Certificate for an AWS CDC group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided.

      • CLIENT CERTIFICATE (optional): The Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the AWS KMS and vice versa.

  3. Click the SAVE button.

The group details now include an HSM/KMS tab displaying information about your KMS.

The HSM/KMS tab displays the details of the AWS Service Type, including the connection details of the Service Type such as the URL and access key. You can edit these connection details here. You can also see the selected AWS region name here.

After editing and saving, click the TEST CONNECTION button to check the connection.

Click the SYNC KEYS button to sync keys from the configured AWS KMS to the AWS CDC group.

When you click the TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the AWS node. If that happens, it displays a “Not Connected” status with a warning symbol not-connected.png . You can save the details of the new connection details provided and edit them later.

After saving the group details, you can view the list of all groups and notice the special symbol AWS_46.pngnext to the newly created group. This symbol indicates that it is an AWS CDC group, distinguishing it from other groups.

Navigate to the Users menu item in the DSM left navigation bar and click the user that says “You” on the Users page to view the user’s detailed view.

The detailed view shows all the groups the user belongs to and indicates which groups are mapped to AWS KMS, displaying their status as "connected" or "not connected."

You can delete an instance using the following steps:

  1. In the Instance table, hover on the AWS BYOK instance, and click the delete  DeleteInstance.png button.

    WARNING

    When you delete an instance, the group and all security objects belonging to the instance will be automatically deleted and all encrypted/tokenized data will become inaccessible.

  2. Click DELETE to confirm deleting the AWS BYOK instance.

For details on how to perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the Fortanix DSM - AWS KMS Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the Fortanix DSM - AWS KMS Bring Your Own Key.

Related articles