Data Security Manager with Amazon XKS Using Virtual Private Cloud

1.0 Introduction

This article describes how to integrate Fortanix Data Security Manager (DSM) on-premises with Amazon Web Service (AWS) External Key Store (XKS) using Amazon’s Virtual Private Cloud network to protect the data in AWS with keys stored in Fortanix DSM that users can use to perform cryptographic operations. It also describes how to:

  • Create and configure the AWS Network Load Balancer and Target Groups
  • Create the VPC Endpoint Service
  • Create Fortanix DSM objects
  • Create the External Key Store in AWS

1.1 Overview

When using Fortanix DSM as an external key store, AWS allows two ways of communication:

  • Public Endpoint Connectivity - AWS KMS connects to the external key store proxy (XKS proxy) over the internet using a public endpoint. This procedure is not covered in this article. You can follow the documentation link – Fortanix DSM with AWS XKS Concepts Guide and Fortanix DSM with AWS External Key Store (XKS) Integration Guide for the Public Endpoint Connectivity method.
  • Using Amazon VPC endpoint service - AWS KMS connects to the external key store proxy (XKS proxy) by creating an interface endpoint to an Amazon VPC endpoint service. This method uses AWS Direct Connect/VPN, which enables AWS KMS to privately connect to your Amazon VPC and your external key store proxy without using the public internet. This procedure is covered in this article.

2.0 Architecture

The diagram below depicts the connectivity flow between Fortanix DSM and AWS KMS:

AWS-XKS-VPC-Archi.png Figure 1: AWS Accessing Fortanix External Key Store using AWS VPC

2.1 Workflow Components

The components of the above diagram include:

  • Amazon VPC connected to AWS XKS - needs to be created, or you can choose to use an existing VPC. It is important to note that the VPC must have at least two private subnets in two different Availability Zones.
  • Amazon VPC endpoint service powered by AWS PrivateLink with a network load balancer and target group.
  • An external proxy is configured within the on-premises environment to intercept AWS KMS traffic and relays it to the Fortanix DSM service.
  • Private DNS assigned to an external proxy.
  • Fortanix DSM installed in an on-premises environment.

2.2 Workflow

  1. An AWS Service or custom application sends a request for a key to AWS KMS.
  2. AWS KMS finds the double-enveloped key in its database and sends it to the URL of the XKS service (as implemented by Fortanix DSM) to decrypt.
  3. A network load balancer relays the request from AWS KMS to the Fortanix DSM cluster located in the on-premises environment using the VPC endpoint service.
  4. Fortanix DSM decrypts the outer envelope and sends the inner envelope back to AWS KMS.
  5. AWS KMS decrypts the inner envelope and sends the plaintext DEK to the calling service or application.
  6. An external proxy created in an on-premises environment forwards the traffic to Fortanix DSM running with a public CA-signed certificate. The Fortanix DSM service certificate must contain the proxy endpoint as a SAN (Subject Alternate Name).

3.0 Prerequisites

NOTE
Creation and configuration of the VPC and establishment of connectivity between the VPC and the on-premises environment are out of the scope of this guide.

4.0 Fortanix Data Security Manager with AWS XKS Using VPC

With AWS XKS, administrators use Fortanix DSM to store cryptographic keys for the purpose of encrypting/decrypting the Data Encryption Keys in AWS KMS. Leveraging this method, cryptographic operations are performed inside Fortanix DSM. This is different from the import-key (known as, Bring Your Own Key or BYOK) functionality where the key material for a key in Fortanix DSM (external HSM) is imported into AWS KMS with an optional expiration period while cryptographic operations happen inside an AWS data center.

4.1 Access to Fortanix Data Security Manager

A Fortanix DSM service must be configured, and the URL must be accessible. Create a Fortanix DSM account, for example: AWSXKS_TEST, and a group, for example: AWS_XKS_GROUP on Fortanix DSM. See the Fortanix DSM Getting Started guide for more information.

4.2 Create/Import an AES Key and Copy the Key UUID

On your Fortanix DSM console, follow the steps below to create an AES encryption key:

  1. Click the Security Objects Screenshot 2023-08-16 160904.png menu. 
  2. Click add.png to create a new security object.
  3. Type a name for the Security Object, for example: XKS_TEST_KEY.
  4. Select the group AWS_XKS_GROUP for the key.
  5. Select the Generate option and select the key type AES to generate an AES key.
  6. In the Key size field, select 256 bits. (Default value is 256 bits)
  7. Select the permitted key operations for this key. Ensure the new key has “encrypt” and “decrypt” key operations allowed.
  8. Optional: Add Custom Attributes and edit Activation and Deactivation dates if required.
  9. Optional: Select Audit log to enable audit logging. This will inform you about all the audit logging for this security object.
  10. Click Generate to generate the AES key.
    You can also import an AES encryption key. Refer to the Key Lifecycle Management guide for instructions to import a key.
    AESKey-XKS-VPC.png
    Figure 2: AES Key
  11. The UUID of this AES key is required in Section 4.7: Create External Key Store in AWS KMS to create the key in AWS XKS. To copy the UUID of the key- XKS_TEST_KEY:
    1. Click the drop down for COPY ID and click COPY UUID in the list to copy the key UUID to the system clipboard. You may choose to paste this UUID into Notepad or an equivalent program for later use.

4.3 Create an App in Fortanix Data Security Manager

Create a Fortanix DSM app with the AWS XKS authentication method. To create an application in the Fortanix DSM account:

  1. Click the Apps Nutanix-CreateAppIcon.png menu.
  2. Create a new Fortanix DSM app using the Add add.png button.
  3. In the Adding new app form, do the following:
    1. In the App name field, type the name of the AWS XKS app. For example: DSM_XKS_APP.
    2. In the Authentication method, select AWS XKS.
    3. Assign the app to the same group, that is, AWS_XKS_GROUP that contains the AES 256 key created in Section 4.2: Create/Import an AES Key and Copy the Key UUID.
    4. Click Save to create the new application.
      DSMApp-XKS-VPC.png
      Figure 3: Create a DSM App
  4. In the detailed view of an app, click the INFO tab and in the AWS XKS section, click the SHOW INSTRUCTIONS button.
  5. In the AWS XKS modal window, copy the URI and the configuration info individually and make a note of it or click COPY CONFIG FILE to copy all the configuration details at once to the clipboard in JSON format. The following are the configuration values:
    • Path prefix: A fixed path containing the Fortanix DSM App UUID.
    • Access key ID and Secret access key: The access key and secret access key are used by AWS to access Fortanix DSM.
      XKSAppConfig-XKS-VPC.png
      Figure 4: Copy the AWS XKS App Configurations

4.4 Configure HAProxy Service in Fortanix Data Security Manager On-Premises

It is highly recommended to configure at least two HAProxy servers in HA to receive KMS traffic using AWS VPC. It must be configured with SSL pass-through to forward the incoming traffic to the backend service URL. Following is an example of installing HAProxy on Ubuntu and configuring the proxy service.

NOTE
You must follow the operating system-specific HAProxy installation instructions. You can use other proxy services as per your choice. Here we used HAProxy for this testing.
apt-get install haproxy

Edit the configuration /etc/haproxy/haproxy.cfg.
Following is an example of the HAProxy configuration.

global
         log /dev/log local0 info
         stats socket ipv4@127.0.0.1:9999 level admin
         stats socket /var/run/haproxy.sock mode 666 level admin
         stats timeout 2m
defaults
         log global
         option tcplog
         timeout client  10s #Applies to all FrontEnd
         timeout connect 10s #Applies to all Backend
         timeout server  10s #Applies to all Backend
frontend stats
   bind *:1936
   mode http
   stats uri /
   stats show-legends
   stats refresh 5s
  no log
frontend https
         bind *:443
         mode tcp
        default_backend bk_app
backend bk_app
         mode tcp
         server testdsm  10.197.192.40:443 check

4.5 Create and Configure AWS Network Load Balancer and Target Groups

NOTE
Before you start this section, it is assumed that you have the following configuration already in place.
  • AWS VPC configured
  • Communication between DSM on-premises to AWS VPC is established. (Direct Connect/VPN)
  • HAProxy is configured
  1. Create target groups.
    1. Go to the Amazon EC2 console at the URL below:
      https://console.aws.amazon.com/ec2/
    2. In the navigation pane, select Target Groups, and then click Create.
    3. In the Basic configuration section:
      1. Select the target type as IP addresses.
      2. Enter a logical Target group name.
      3. Select Protocol as TCP and Port as 443.
      4. Select the IP address type as IPV4.
      5. Select the VPC that you have created for the integration and click Next.
        CreateTargetGroup1-XKS-VPC.png CreateTargetGroup2-XKS-VPC.pngFigure 5: Create Target Group
  2. Register targets in the Target Group.
    1. Go to Target groups in the EC2 console, and then select Register targets.
    2. Add the IP addresses of the HAProxy located in the on-premises environment. Enter Ports as 443 for routing to the target.
      RegisterTargets-XKS-VPC.png
      Figure 6: Register Targets in the Target Group
  3. Create a load balancer.
    1. Search “load balancer” in the Search Box of AWS Console and select the Load Balancer EC2 feature.
    2. Select Create Load Balancer, select Network Load Balancer, and then click Create.
      1. Enter a logical name in the Load balancer name field.
      2. Select the Scheme as Internal.
      3. Select the IP address type as IPV4.
      4. In the Network mapping section, select the VPC created for the integration, and then under Mappings select both the zones.
      5. In the Listeners and routing section, select Protocol as TCP and Port as 443. Select the target group created above for the Default action field. Click Add listener.
      6. Verify and then click Create load balancer.

4.6 Create VPC Endpoint Service

  1. Go to VPC in the AWS Console and click Endpoint services. Select Create.
    1. In the Create endpoint service form:
      1. Enter a logical name for the VPC endpoint service.
      2. Select Load balancer type as Network.
      3. Then select the load balancer created above under Available load balancers.
        CreateEndpointService1-XKS-VPC.png
        Figure 7: Create endpoint service
      4. In the Additional settings section,
        1. Clear the Acceptance required option.
        2. Select the Associate a private DNS name with the service option.
        3. Enter the Proxy DNS for the Private DNS name field.
      5. Select IPV4 as the Supported IP address types.
      6. Click Create.
        CreateEndpointServiceAdditionalSettings-XKS-VPC.png
        Figure 8: Create Endpoint Services
      7. After the VPC endpoint is created, it will generate the domain verification name and value. The Domain verification status shows “pendingVerification”. You must copy the Domain verification name and Domain verification value and create a TXT record on Route 53 under your domain. After the successful verification, the Domain verification status shows “Verified”.
        Reference: https://docs.aws.amazon.com/kms/latest/developerguide/vpc-connectivity.html
        DomainVerification-XKS-VPC.png
        Figure 9: Domain Verification Name and Value
      8. You must add "Allow Principals" to use the VPC endpoint service as below. This is required to allow KMS to communicate through the VPC endpoint service you created.
        1. In the navigation pane, choose Endpoint services.
        2. Select the endpoint service and select the Allow principals tab.
        3. To add permissions, click Allow principals.
        4. In the Principals to add section, enter the ARN of the principal.
          AllowPrincipal-XKS-VPC.png
          Figure 10: Allow Principal

4.7 Create External Keystore in AWS KMS

  1. Go to Key Management Service in the AWS console and select External key stores.
    1. Click the Create option to create the external key store.
      1. Enter a logical name for the Key store name field.
      2. Select the VPC endpoint service in the Proxy connectivity section.
      3. Select the VPC endpoint service created in the previous section.
      4. In the Proxy URI endpoint field, enter the proxy DNS name.
      5. Upload the configuration file from Fortanix DSM that you copied on the clipboard in Section 4.3: Create an App in Fortanix DSM. This will populate the fields in the Proxy Configuration section.
      6. Click Create external key store.
        CreateExternalKeyStore-XKS-VPC.png
        Figure 11: Create External Keystore
  2. After the external key store is created, click the keystore and check the Connection State.
    It should show as Connected. This might take a while. If it shows a status other than Connected, then troubleshoot the connectivity.
    ConnectionState-XKS-VPC.png
    Figure 12: XKS Connection State
  3. Now, the KMS key can be created in this key store.
    1. Click Create a KMS key in this keystore.
      1. In the Key configuration form, enter the Key UUID copied in Section 4.2: Create or Import an AES Key and Copy the Key UUID in the External key ID field.
      2. Confirm the use of an external key store and click Next.
        AWS-VPC-ConfigureKeyXKS.png
        Figure 13: KMS Key Configuration
    2. Enter the key Alias and click Next.
      AddLabels-XKS-VPC.png
      Figure 14: Add Labels
    3. Select the Key administrators from the list, click on the check box for the Key deletion based on your requirements, and click Next.
      KayAdmin-XKS-VPC.png
      Figure 15: Key Administrators Permission

      KeyUsagePerm-XKS-VPC.png
      Figure 16: Key Usage Permission
      • Key Administrative permissions: AWS IAM users or roles who can manage the AWS external keystore key from the console.
      • Key Usage Permissions: AWS IAM users or roles who can use the key for cryptographic operations.
    4. Finally, review the Key configuration and click Finish.
      ReviewKeyConfig-XKS-VPC.png
      Figure 17: Review Key Configuration

5.0 Using the XKS Key to Encrypt S3 Bucket

5.1 Create an S3 Bucket

This section describes how to use a Fortanix DSM key as an AWS customer-managed key to encrypt an S3 bucket.

  1. Create an S3 bucket, Amazon S3 -> Buckets -> Create bucket.
    AWS-XKS-VPC-CreateS3bucket.png
    Figure 18: Create an S3 Bucket
  2. Upload a file to S3 and check the Fortanix key access logs.
    UploadFileS3-XKS-VPC.png
    Figure 19: Upload File to S3

    UploadSuccessful-XKS-VPC.png
    Figure 20: Upload Successful

    FortanixKeyAccessLogs-XKS-VPC.png
    Figure 21: Fortanix Key Access Logs

6.0 References

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful