Fortanix Data Security Manager Installation on AWS

1.0  Introduction

The purpose of this article is to describe the steps required to install a Fortanix-Data-Security-Manager (DSM) Cluster in a single region in Amazon Web Service (AWS) using AWS marketplace.

2.0 Terminology References

• IAM – Identity and Access management

• VPC – Virtual Private Cloud

• EC2 – Elastic Computing

• SNS – Simple Notification Service

3.0  Prerequisites

To install Fortanix DSM on AWS, the following requirements have to be met:

1. Subscribe to Fortanix DSM on AWS Marketplace using the following link: https://aws.amazon.com/marketplace/pp/B08XMT11DV

2. Create IAM User/Role with permission to deploy/create VPC, Internet Gateway, Load balancer, Autoscaling group, Security group, EC2, and SNS Topic.

3. Create a key-pair to be used for VM ssh authentication.

3.1  Recommended VM Configuration

• VM Instance Type - m5.2xlarge (or larger). 

• We require a minimum of 4 cores with 32GB RAM. AWS Virtual Machines with up to 32 processors are supported.

4.0  AWS Infrastructure

4.1  Create Fortanix Data Security Manager Cluster - Launch CloudFormation Method

1. Click Continue to Subscribe.  

   

2. Click Continue to Configuration.  

   

3. Click Continue to Launch.

   

4. Select Launch CloudFormation and click Launch.  

   

5. Click Next and fill the following CloudFormation parameter values:  

   

6. Click Create Tags on the next screen and click Next.

7. Click Next to create the stack.  

   

8. The following screen displays all the AWS resources created by Fortanix CloudFormation template.

   

4.2 Fortanix Data Security Manager Security Groups in VPC

The following are the inbound and outbound rules for the Fortanix Data Security Manager Security group:

Inbound rules:

• Ports 443, 4445 have to be exposed to clients using API/Web UI. In this case, they are expected to be exposed using the internet. Similarly, port 5696 is used for KMIP protocol interaction between clients and the KMS cluster.

• All traffic is for communication within the VPC for inter node communication. The source for this traffic can either be restricted by specifying the VPC CIDR or the security group itself.

• The SSH port should be open to the source IP address that is expected to perform the installation, configuration, and maintenance activities. This port can be restricted after such activities.

  

Outbound rule:

4.3 Verify Login to Each VM

Verify login to each VM using SSH with the private key used during VM creation with “administrator” as user.

4.4  Route53 Record

1. Go to Route 53 console.  

   

2. Select your hosted zone and create a record.

3. Enter the Name for the record.

4. Select “Alias to Network Load Balancer” as Endpoint.

5. Select the region of the load balancer.

6. Select the load balancer configured above.

7. Select the Record type to be “A”.

5.0  Fortanix Data Security Manager Installation

Follow the installation instructions on the three EC2 instances starting with Section 4 of the Fortanix Data Security Manager Installation Guide.

5.1  Adding a Node to an Existing Cluster

The following is the procedure to add a node to an existing Fortanix DSM cluster on AWS:

1. Get join token from any node in the cluster using the following command:

   sudo kubeadm token list

2. Ensure that the new node has the same version of sdkms-cluster installed.

3. Run node join on the new node using the token from Step 1:

   sudo sdkms-cluster join --peer=MASTER_NODE_IP --token=e79965.421d7f78a8546e37 --self=NODE_IP

   In this step, you can consider any existing node in the cluster as a master node.

4. Verify that the new node has joined the cluster successfully using the following command:

   kubectl get nodes -owide

5.2  Removing a Node from an Existing Cluster

To remove a node from an existing Fortanix DSM cluster on AWS, execute the following command from any existing node:

sudo sdkms-cluster remove --node NODE_NAME

6.0  Backup and Restore on AWS

The backup and restore process remains exactly the same as other Fortanix DSM hardware-based deployments. But when deployed on AWS, on VMs without SGX capability, a deployment key is created in software. This deployment-key is not backed-up to the backup location along with the backup data due to security reasons.

1. Locate the deployment key.

   $ kubectl get secrets sdkms-deployment-key-store
    

2. Save the deployment key.

   $ kubectl get secrets sdkms-deployment-key-store -o yaml > sdkms-deployment-key-store.yaml
    

   Save the file sdkms-deployment-key-store.yaml in a secure location (do not save it along with the backup).

3. Restore the deployment key after the cluster reset. 
   When a new cluster is created, a new random deployment-key gets auto-created. But as we are restoring the cluster from the backup, we need to delete the deployment key and restore the saved deployment key.

   1. Delete any existing deployment key (which was created after a fresh cluster).

      $ kubectl delete secrets sdkms-deployment-key-store
       

   2. Create a deployment key from a safe location.

      $ kubectl create -f sdkms-deployment-key-store.yaml
       

      After the above step, the restore process can be started as documented in the Fortanix Data Security Manager Backup and Restore Guide.

7.0  Cluster Deployment Key Protection for Non-SGX Platform

For instructions on how to protect the Cluster Master Key (CMK) using another key, the Cluster Deployment Key (CDK) which is stored in an external HSM when Fortanix DSM is deployed on non-SGX platforms such as AWS, refer to the Administration Guide: CDK Protection for non-SGX platforms.