Fortanix DSM - AWS Key Management Service CDC Group Setup

Last Updated: June 07, 2023 07:40

FORTANIX DATA SECURITY MANAGER AWS EXTERNAL KMS SETUP USER GUIDE.pdf
(400 KB)

1.0 Overview

Welcome to the Fortanix Data Security Manager (DSM) and Amazon Web Services (AWS) Cloud Data Control (CDC) Setup Guide. This article describes how to set up a CDC group for AWS KMS using Fortanix DSM.

The Fortanix solution for AWS Key Management Service (KMS) offers complete Cloud Native Key Management (CNKMS), Bring Your Own Key (BYOK), and Bring Your Own KMS (BYOKMS), with complete lifecycle management for automation.

This article will walk you through setting up a Cloud Data Control (CDC) group that will be used for both CNKMS and BYOK workflows.

2.0 Getting Started with Fortanix Cloud Data Control

To understand which solution between CNKMS, BYOK, Bring Your Own KMS (AWS XKS), or Bring Your Own Encryption (BYOE) is right for you, please see Fortanix Data Security Manager Cloud Data Control Getting Started Guide.

For BYOKMS using AWS External Key Store (XKS) see Fortanix DSM with External Key Store.

3.0 Obtaining Access to Fortanix Data Security Manager

Create an account in Fortanix DSM if you do not have one already. See the Fortanix DSM Getting Started guide for more information.

4.0 Fortanix Data Security Manager AWS KMS Group Setup

The following section describes the workflow to configure Fortanix DSM to interact with the AWS KMS. An AWS CDC KMS group is created in the Fortanix DSM account, and this group is configured to interact with the AWS KMS.

4.1 Prerequisites

To configure the AWS CDC group, the following are the AWS KMS permissions that the AWS Identity and Access Management (IAM) users must have to authenticate the Fortanix DSM group with AWS KMS.

LIST Permissions:

ListKeys
ListKeyPolicies
ListRetirableGrants
ListAliases
ListGrants
ListResourceTags

READ Permissions:

DescribeKey
GetPublicKey
GetKeyRotationStatus
GetKeyPolicy
GetParametersForImport

WRITE Permissions:

CreateKey
ImportKeyMaterial
DeleteImportedKeyMaterial
EnableKey
DisableKey
ScheduleKeyDeletion
CancelKeyDeletion
EnableKeyRotation
DisableKeyRotation
CreateAlias
DeleteAlias
UpdateAlias
PutKeyPolicy
TagResource
UntagResource
CreateGrant
RetireGrant
RevokeGrant

3.2 Configure an AWS CDC Group

On the Fortanix DSM Groups page, click the button to create a new AWS CDC group.
In the Adding new group form:
1. Enter a title and description for your group.
2. Next, click the LINK HSM/EXTERNAL KMS button to select the AWS KMS type, so that Fortanix DSM can connect to it.
3. Select the type of HSM/external KMS as AWS Key Management Service from the drop down menu.
4. In the Choose Region field, select the AWS region from which the keys should be imported.
  If you are a United States (US) government employee, you can choose from the following AWS GovCloud regions:
  - AWS GovCloud (US-East)
  - AWS GovCloud (US-West)
  When you select an AWS GovCloud region, then the AWS BYOK key upload operations are executed against the KMS in that region and the uploaded keys will appear usable by AWS GovCloud.
  
  NOTE
  
  To use AWS GovCloud for the US Government, you need to be a US citizen associated with the US Federal Government or a US government contractor. Please refer to the Cloud Providers' documentation about access to these environments.
5. Enter the AWS KMS Service Account Credentials:
  - URL: The URL of the AWS region gets auto-populated based on the region selected. This is an editable field, so a user can also add a custom URL of the AWS region. In the case of a custom URL, the URL label will change to URL (Custom).
  - AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY: The Access Key and Secret Access Key are used for accessing the AWS services. Each AWS account has its unique login credentials; Fortanix DSM should allow its users to log in and securely save AWS credentials to do native cloud key management and offline automation such as automatic key rotation based on a set schedule and so on. For more information on obtaining AWS credentials, refer to AWS documentation.
Add a certificate. For more details refer to Section 3.3.
Click TEST CONNECTION to test your AWS KMS connection. If Fortanix DSM is able to connect to your AWS using your connection details, then it shows the status as “Connected” with a green tick . Otherwise, it shows the status as “Not Connected” with a yellow warning sign .

3.3 Add Certificate (Optional)

Click + ADD CONFIGURATION to add a certificate for authenticating your AWS KMS. Fortanix's external KMS solution requires that the customer applications use one of the Fortanix DSM interfaces (REST, PKCS#11, KMIP, JCE, or CNG) to interact with Fortanix DSM for key management and cryptographic operations. These applications should be configured to authenticate to Fortanix DSM using a Certificate or Trusted Certificate Authority (CA) instead of directly communicating with AWS KMS.
1. There are two certificate options to choose from.
  - Global Root CA - Use this certificate if you are using a certificate that is signed by a well-known public CA. By default, every AWS CDC Group is configured with a Global Root CA Certificate.
  - Custom CA Certificate – Use this certificate if you as an enterprise want to self-sign the certificate using your own internal CA. You can override the default Global CA cert with a Custom CA Certificate for an AWS CDC group. You can either upload the certificate file or copy the contents of the certificate in the textbox provided.
2. Select the Validate Host check box to check if the certificate that the AWS KMS provided has the same subjectAltName or Common Name (CN) as the hostname that the server certificate is coming from.
+ ADD CLIENT CERTIFICATE (optional): A Custom CA Certificate also has a Client Certificate section where you can configure a client certificate and a private key (Fortanix DSM Certificate and Key). This allows Fortanix DSM to authenticate itself to the AWS KMS and vice versa.

3.4 Save AWS CDC Group Details

Though testing the connection in the previous section is an optional step, you can save your group details even if the connection information might be incorrect or incomplete, you can edit these details later. Now, save your group details by clicking the SAVE button.

After you save your group details, your group is created, and you will see a detailed view of your group.

You can now see that there is an addition of the HSM/KMS tab in the group details, this tab shows the details about your KMS.

3.5 The HSM/KMS Tab

The HSM/KMS tab shows the details of the AWS Service Type and the connection details of that Service Type such as the URL, access key, and secret. You can also edit the AWS connection details here.

Once you edit the connection details and save it, click TEST CONNECTION to test the connection.

Click SYNC KEYS to sync keys from the configured AWS KMS to the AWS CDC group.

3.6 Not Connected Scenario

On clicking TEST CONNECTION, it is possible that Fortanix DSM is not able to connect to the AWS node, in that case, it displays a “Not Connected” status with a warning symbol . You can save the details of the new connection details provided and edit them later.

3.7 Groups Table View

After saving the group details, you can see the list of all groups and notice the special symbol next to the newly created group, this symbol differentiates it from the other groups, as it shows that it is an AWS CDC group.

3.8 User's View

Click the Users tab in the Fortanix DSM UI, and click the user that says “You” to go to the user’s detailed view, as shown below.

The detailed view shows all the groups of which the user is a member; additionally, Fortanix DSM displays which groups are mapped to AWS KMS and whether they are “connected” or “not connected”.

For details on how to perform native key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Cloud Native Key Management.

For details on how to perform BYOK key lifecycle management in AWS KMS using Fortanix DSM, refer to the User's Guide: Fortanix DSM AWS KMS Bring Your Own Key.