Fortanix DSM - AWS Key Management Service CDC Group Setup - Using Easy Wizard

1.0  Overview

Welcome to the Fortanix Data Security Manager (DSM) and Amazon Web Services (AWS) Cloud Data Control (CDC) Setup Guide. This article describes how to automatically setup a CDC group for AWS KMS using Fortanix DSM easy wizard integration.

The Fortanix solution for AWS Key Management Service (KMS) offers complete Cloud Native Key Management (CNKMS), Bring Your Own Key (BYOK), and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.

This article will walk you through setting up a Cloud Data Control (CDC) group that will be used for both CNKMS and BYOK workflows.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

For BYOKMS using AWS External Key Store (XKS) see Fortanix DSM with External Key Store.

3.0 Obtaining Access to Fortanix Data Security Manager

Create an account in Fortanix DSM if you do not have one already. See the Fortanix DSM Getting Started guide for more information.

4.0  Fortanix Data Security Manager AWS KMS Group Setup - Easy Wizard

The following section describes the workflow to configure Fortanix DSM to interact with the AWS KMS. An AWS CDC group is automatically created in the Fortanix DSM account using the easy wizard integration, and this group is configured to interact with the AWS KMS.

4.1  Prerequisites

To configure the AWS CDC group, the following are the AWS KMS permissions that the AWS Identity and Access Management (IAM) users must have to authenticate the Fortanix DSM group with AWS KMS.

LIST Permissions:

• ListKeys
• ListKeyPolicies
• ListRetirableGrants
• ListAliases
• ListGrants
• ListResourceTags

READ Permissions:

• DescribeKey
• GetPublicKey
• GetKeyRotationStatus
• GetKeyPolicy
• GetParametersForImport

WRITE Permissions:

• CreateKey
• ImportKeyMaterial
• DeleteImportedKeyMaterial
• EnableKey
• DisableKey
• ScheduleKeyDeletion
• CancelKeyDeletion
• EnableKeyRotation
• DisableKeyRotation
• CreateAlias
• DeleteAlias
• UpdateAlias
• PutKeyPolicy
• TagResource
• UntagResource
• CreateGrant
• RetireGrant
• RevokeGrant

4.2  Configure an AWS CDC Group 

1. On the Fortanix DSM Integrations page, select the Cloud Key Management/BYOK filter to filter the wizards for Cloud Key Management/BYOK.
2. On the AWS BYOK wizard, click ADD INSTANCE to add a new AWS BYOK:
3. Enter the following details:
   1. Enter a name for the AWS BYOK instance.
   2. Select the aws option as the cloud provider to export your key.
      NOTE

      The Fortanix DSM 4.14 release only supports AWS as the cloud provider. Future releases of Fortanix DSM will also support other cloud providers.
   3. In the Choose Region field, select the AWS region from which the keys should be imported. 
   4. Enter the AWS KMS Service Account Credentials: 
      • URL: The URL of the AWS region gets auto-populated based on the region selected. This is an editable field, so a user can also add a custom URL of the AWS region. In the case of a custom URL, the URL label will change to URL (Custom).
      • AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY: The Access Key and Secret Access Key are used for accessing the AWS services. Each AWS account has its unique login credentials; Fortanix DSM should allow its users to log in and securely save AWS credentials to do native cloud key management and offline automation such as automatic key rotation based on a set schedule and so on. For more information on obtaining AWS credentials, refer to AWS documentation.
   5. Add a certificate. For more details refer to Section 4.3.
   6. Click TEST CONNECTION to test your AWS KMS connection. If Fortanix DSM is able to connect to your AWS using your connection details, then it shows the status as “Connected” with a green tick . Otherwise, it shows the status as “Not Connected” with a yellow warning sign  . 
   7. Click SAVE INSTANCE to save your instance.
      Saving the instance will automatically create the following:
      • A new AWS CDC group for the selected region.
      • A new instance in the instance table.
4. In the instance table:
   1. Click MANAGE KEYS to go to the Security Objects tab of the AWS CDC group.
   2. Click SYNC KEYS to go to the HSM/KMS tab of the AWS CDC group. For more details refer to Section 4.4.

4.3  Add Certificate (Optional)

1. Click + ADD CONFIGURATION to add a certificate for authenticating your AWS KMS. Fortanix's external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with AWS KMS.
   1. There are two certificate options to choose from.
      • Global Root CA - Use this certificate if you are using a certificate that is signed by a well-known public CA. By default, every AWS CDC Group is configured with a Global Root CA Certificate.
      • Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an AWS CDC group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided. 
   2. Select the Validate Host check box to check if the certificate that the AWS KMS provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.
2. + ADD CLIENT CERTIFICATE (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the AWS KMS and vice versa. 

4.4  The HSM/KMS Tab

The HSM/KMS tab shows the details of the AWS Service Type and the connection details of that Service Type such as the URL, access key, and secret. You can also edit the AWS connection details here.

After you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured AWS KMS to the AWS CDC group.

4.5  Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the AWS node, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.

4.6  Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an AWS CDC group.

4.7  User's View

Click the Users tab  in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

The detailed view shows all the groups of which the user is a member; additionally, Fortanix DSM displays which groups are mapped to AWS KMS and whether they are “connected” or “not connected”.

For details on how to perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Bring Your Own Key.

5.0 Delete Instance

You can delete an instance using the following steps:

1. In the Instance table, hover on the AWS BYOK instance, and click the delete button.
   WARNING

   When you delete an instance, the group and all security objects belonging to the instance will be automatically deleted and all encrypted/tokenized data will become inaccessible.
2. Click DELETE to confirm deleting the AWS BYOK instance.