Data Security Manager with Amazon XKS Using Virtual Private Cloud

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) on-premises with Amazon Web Service (AWS) External Key Store (XKS) using Amazon’s Virtual Private Cloud network to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations. It also describes how to:

• Create and configure the AWS Network Load Balancer and Target Groups
• Create the VPC Endpoint Service
• Create Fortanix DSM objects
• Create the External Key Store in AWS

1.1 Overview

When using Fortanix DSM as an external key store, AWS allows two ways of communication:

• Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. You can follow the documentation link – Fortanix DSM with AWS XKS Concepts Guide and Fortanix DSM with AWS External Key Store (XKS) Integration Guide for the Public Endpoint Connectivity method.
• Using Amazon VPC endpoint service - AWS KMS connects to the external key store proxy (XKS proxy) by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your external key store proxy without using the public internet. This procedure is covered in this article.

2.0 Architecture

The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:

Figure 1: AWS Accessing Fortanix External Key Store using AWS VPC

2.1 Workflow Components

The components of the above diagram include:

• Amazon VPC connected to AWS XKS - needs to be created, or you can choose to use an existing VPC. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.
• Amazon VPC endpoint service powered by AWS PrivateLink with a network load balancer and target group.
• An external proxy is configured within the on-premises environment to intercept AWS KMS traffic and relays it to the Fortanix DSM service.
• Private DNS assigned to an external proxy.
• Fortanix DSM installed in an on-premises environment.

2.2 Workflow

1. An AWS Service or custom application sends a request for a key to AWS KMS.
2. AWS KMS finds the double-enveloped key in its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.
3. A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.
4. Fortanix DSM decrypts the outer envelope and sends the inner envelope back to AWS KMS.
5. AWS KMS decrypts the inner envelope and sends the plaintext DEK to the calling service or application.
6. An external proxy created in an on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The Fortanix DSM service certificate must contain the proxy endpoint as a SAN (Subject Alternate Name).

3.0 Prerequisites

• AWS resources:
  • Network Load Balancer (NLB)
    Reference: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html#configure-load-balancer
  • VPC (with private subnet)
  • VPC Endpoint Service (Ensure to add .TXT record as per documentation. “Domain verification status” should be "Verified")
    Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html#xks-nlb
  • KMS
  • The connection between AWS Cloud and Fortanix DSM on-premises (VPN/Direct Connect)
• On-premises resources:
  • Fortanix DSM on-premises version 4.9 and above.
  • High Availability Proxy: A minimum of two nodes are recommended to achieve high availability. 
  NOTE

  Fortanix used the HAProxy proxy service for testing.

4.0 Fortanix Data Security Manager with AWS XKS Using VPC

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the Data Encryption Keys in AWS KMS. Leveraging this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as, Bring Your Own Key or BYOK) functionality where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS with an optional expiration period while cryptographic operations happen inside an AWS data center.

4.1 Access to Fortanix Data Security Manager

A Fortanix DSM service must be configured, and the URL must be accessible. Create a Fortanix DSM account, for example: AWSXKS_TEST, and a group, for example: AWS_XKS_GROUP on Fortanix DSM. See the Fortanix DSM Getting Started guide for more information.

4.2 Create/Import an AES Key and Copy the Key UUID

On your Fortanix DSM console, follow the steps below to create an AES encryption key:

1. Click the Security Objects menu. 
2. Click to create a new security object.
3. Type a name for the Security Object, for example: XKS_TEST_KEY.
4. Select the group AWS_XKS_GROUP for the key.
5. Select the Generate option and select the key type AES to generate an AES key.
6. In the Key size field, select 256 bits. (Default value is 256 bits)
7. Select the permitted key operations for this key. Ensure the new key has “encrypt” and “decrypt” key operations allowed.
8. Optional: Add Custom Attributes and edit Activation and Deactivation dates if required.
9. Optional: Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object.
10. Click Generate to generate the AES key.
    You can also import an AES encryption key. Refer to the Key Lifecycle Management guide for instructions to import a key.
    
    Figure 2: AES Key
11. The UUID of this AES key is required in Section 4.7: Create External Key Store in AWS KMS to create the key in AWS XKS. To copy the UUID of the key- XKS_TEST_KEY:
    1. Click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID to the system clipboard. You may choose to paste this UUID into Notepad or an equivalent program for later use.

4.3 Create an App in Fortanix Data Security Manager

Create a Fortanix DSM app with the AWS XKS authentication method. To create an application in the Fortanix DSM account:

1. Click the Apps menu.
2. Create a new Fortanix DSM app using the Add button.
3. In the Adding new app form, do the following:
   1. In the App name field, type the name of the AWS XKS app. For example: DSM_XKS_APP.
   2. In the Authentication method, select AWS XKS.
   3. Assign the app to the same group, that is, AWS_XKS_GROUP that contains the AES 256 key created in Section 4.2: Create/Import an AES Key and Copy the Key UUID.
   4. Click Save to create the new application.
      
      Figure 3: Create a DSM App
4. In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button.
5. In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format. The following are the configuration values:
   • Path prefix: A fixed path containing the Fortanix DSM App UUID.
   • Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.
     
     Figure 4: Copy the AWS XKS App Configurations

4.4 Configure HAProxy Service in Fortanix Data Security Manager On-Premises

It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.

apt-get install haproxy

Edit the configuration /etc/haproxy/haproxy.cfg.
Following is an example of the HAProxy configuration.

global
         log /dev/log local0 info
         stats socket ipv4@127.0.0.1:9999 level admin
         stats socket /var/run/haproxy.sock mode 666 level admin
         stats timeout 2m
defaults
         log global
         option tcplog
         timeout client  10s #Applies to all FrontEnd
         timeout connect 10s #Applies to all Backend
         timeout server  10s #Applies to all Backend
frontend stats
   bind *:1936
   mode http
   stats uri /
   stats show-legends
   stats refresh 5s
   no log
frontend https
         bind *:443
         mode tcp
         default_backend bk_app
backend bk_app
         mode tcp
         server testdsm  10.197.192.40:443 check

4.5 Create and Configure AWS Network Load Balancer and Target Groups

1. Create target groups.
   1. Go to the Amazon EC2 console at the URL below:
      https://console.aws.amazon.com/ec2/
   2. In the navigation pane, select Target Groups, and then click Create.
   3. In the Basic configuration section:
      1. Select the target type as IP addresses.
      2. Enter a logical Target group name.
      3. Select Protocol as TCP and Port as 443.
      4. Select the IP address type as IPV4.
      5. Select the VPC that you have created for the integration and click Next.
         Figure 5: Create Target Group
2. Register targets in the Target Group.
   1. Go to Target groups in the EC2 console, and then select Register targets.
   2. Add the IP addresses of the HAProxy located in the on-premises environment. Enter Ports as 443 for routing to the target.
      
      Figure 6: Register Targets in the Target Group
3. Create a load balancer.
   1. Search “load balancer” in the Search Box of AWS Console and select the Load Balancer EC2 feature.
   2. Select Create Load Balancer, select Network Load Balancer, and then click Create.
      1. Enter a logical name in the Load balancer name field.
      2. Select the Scheme as Internal.
      3. Select the IP address type as IPV4.
      4. In the Network mapping section, select the VPC created for the integration, and then under Mappings select both the zones.
      5. In the Listeners and routing section, select Protocol as TCP and Port as 443. Select the target group created above for the Default action field. Click Add listener.
      6. Verify and then click Create load balancer.

4.6 Create VPC Endpoint Service

1. Go to VPC in the AWS Console and click Endpoint services. Select Create.
   1. In the Create endpoint service form:
      1. Enter a logical name for the VPC endpoint service.
      2. Select Load balancer type as Network.
      3. Then select the load balancer created above under Available load balancers.
         
         Figure 7: Create endpoint service
      4. In the Additional settings section,
         1. Clear the Acceptance required option.
         2. Select the Associate a private DNS name with the service option.
         3. Enter the Proxy DNS for the Private DNS name field.
      5. Select IPV4 as the Supported IP address types.
      6. Click Create.
         
         Figure 8: Create Endpoint Services
      7. After the VPC endpoint is created, it will generate the domain verification name and value. The Domain verification status shows “pendingVerification”. You must copy the Domain verification name and Domain verification value and create a TXT record on Route 53 under your domain. After the successful verification, the Domain verification status shows “Verified”.
         Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html
         
         Figure 9: Domain Verification Name and Value
      8. You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.
         1. In the navigation pane, choose Endpoint services.
         2. Select the endpoint service and select the Allow principals tab.
         3. To add permissions, click Allow principals.
         4. In the Principals to add section, enter the ARN of the principal.
            
            Figure 10: Allow Principal

4.7 Create External Keystore in AWS KMS

1. Go to Key Management Service in the AWS console and select External key stores.
   1. Click the Create option to create the external key store.
      1. Enter a logical name for the Key store name field.
      2. Select the VPC endpoint service in the Proxy connectivity section.
      3. Select the VPC endpoint service created in the previous section.
      4. In the Proxy URI endpoint field, enter the proxy DNS name.
      5. Upload the configuration file from Fortanix DSM that you copied on the clipboard in Section 4.3: Create an App in Fortanix DSM. This will populate the fields in the Proxy Configuration section.
      6. Click Create external key store.
         
         Figure 11: Create External Keystore
2. After the external key store is created, click the keystore and check the Connection State.
   It should show as Connected. This might take a while. If it shows a status other than Connected, then troubleshoot the connectivity.
   
   Figure 12: XKS Connection State
3. Now, the KMS key can be created in this key store.
   1. Click Create a KMS key in this keystore.
      1. In the Key configuration form, enter the Key UUID copied in Section 4.2: Create or Import an AES Key and Copy the Key UUID in the External key ID field.
      2. Confirm the use of an external key store and click Next.
         
         Figure 13: KMS Key Configuration
   2. Enter the key Alias and click Next.
      
      Figure 14: Add Labels
   3. Select the Key administrators from the list, click on the check box for the Key deletion based on your requirements, and click Next.
      
      Figure 15: Key Administrators Permission
      
      Figure 16: Key Usage Permission
      • Key Administrative permissions: AWS IAM users or roles who can manage the AWS external keystore key from the console.
      • Key Usage Permissions: AWS IAM users or roles who can use the key for cryptographic operations.
   4. Finally, review the Key configuration and click Finish.
      
      Figure 17: Review Key Configuration

5.0 Using the XKS Key to Encrypt S3 Bucket

5.1 Create an S3 Bucket

This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.

1. Create an S3 bucket, Amazon S3 -> Buckets -> Create bucket.
   
   Figure 18: Create an S3 Bucket
2. Upload a file to S3 and check the Fortanix key access logs.
   
   Figure 19: Upload File to S3
   
   Figure 20: Upload Successful
   
   Figure 21: Fortanix Key Access Logs

6.0 References

• AWS XKS troubleshooting guide
  https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
• Support key types with AWS external keystore:
  https://docs.aws.amazon.com/kms/latest/developerguide/xks-troubleshooting.html
• Support key types with AWS external keystore:
  https://docs.aws.amazon.com/kms/latest/developerguide/create-xks-keys.html
• Controlling access to your External keystore:
  https://docs.aws.amazon.com/kms/latest/developerguide/authorize-xks-key-store.html