AWS Cloud Key Management (AWS KMS) Integration
KMES Series 3 Integration Guide
From AWS’s website: “AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.”
Please refer to the following URL on the AWS documentation website for more information about AWS Key Management Service (KMS): https://docs.aws.amazon.com/kms/index.html
Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
Customer managed keys appear on the Customer managed keys page of the AWS Management Console for AWS KMS.
The customer managed keys feature also allows you to import existing symmetric keys into AWS KMS. For this integration, this means being able to create symmetric HSM Protected keys on a KMES Series 3 device, and then pushing those keys to AWS KMS from the KMES application interface.
Keys that are pushed to AWS KMS can be used with other services inside AWS, such as the following:
AWS KMS also has its own API that customers can use with their own applications to access and use keys stored in AWS KMS.
For this integration, keys will be created and stored on the KMES Series 3, synchronized to AWS KMS, and then subsequently managed via the KMES application interface.
The AWS KMS / KMES Series 3 integration provides several benefits:
The Futurex Certification Process is a rigorous and standardized approach to testing and certifying integrations between third-party applications and Futurex’s HSMs and key management servers (i.e., KMES Series 3). The certification process is designed to ensure that third-party application integrations are fully tested and validated in a lab environment before they are deployed in a production environment. Futurex’s Integration Engineering team implements this process so that customers can have confidence that third-party applications will integrate seamlessly with Futurex’s HSMs and KMES Series 3 devices, and that all operations will result in the expected behavior. The certification process involves several steps, including research, testing, troubleshooting, and certification, and is fully documented in an integration guide for each integration. The full process is outlined below:
Overall, following these steps helps ensure that the integration between the third-party application and the Futurex device is fully tested and validated, and that any errors or issues are resolved before the integration is certified as fully supported.
Before the KMES Series 3 can push key material to AWS KMS, credentials must be created in the AWS IAM service and then configured on the KMES. In AWS IAM, these credentials will take the form of an Access Key. On the KMES, the credentials will take the form of a Cloud Credential.
Access key ID,Secret access key AccessID,AccessKey
NOTE: This is the only time you will be able to view your secret key. Be sure to write it down/save it now.
This section will explain how to create a customer managed key in AWS KMS. The KMS key will be created devoid of key material so that the KMES can be the source of the key material. The process for pushing keys from the KMES to AWS KMS will be explained in a later section.
This section will explain how to create a new HSM Protected Key Group on the KMES and how the different key operations work for pushing keys to AWS KMS.
NOTE: If a firewall is configured in your environment, ensure that the *.amazonaws.com:443 endpoint is allowed from the KMES out to the internet. If a more specific endpoint is preferred or required, please refer to the following documentation: https://docs.aws.amazon.com/general/latest/gr/kms.html
Key groups act as both a container for keys and a template by which keys are created within the key group, allowing you to define various key attributes, such as the type of key and the key rotation schedule, and the service to use (e.g., Amazon Web Services).
There are two main operations that can be performed on keys that are part of an AWS HSM Protected Key Group:
NOTE: For this integration, the only way that keys should be generated inside an AWS HSM Protected Key Group is by force rotating the key group or simply waiting for a key rotation to occur based on the configured rotation schedule.
For demonstration purposes, we will force rotate the HSM Protected Key Group to generate and push the first key to AWS KMS. To do so, please follow the steps outlined below:
This section will explain how to track the progress/status of jobs related to AWS HSM Protected Key Groups, as well as how to view AWS-related events in the Audit Log.
It has already been mentioned in previous sections that the progress/status of jobs related to AWS can be viewed under Logging and Reporting -> Jobs. Events specific to this integration that would initiate a new job include the following:
AWS-related events can also be viewed under Logging and Reporting -> Audit Logs. The following is an example of how these log entries would appear.