Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019

© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Achieving security goals with AWS
CloudHSM
Avni Rambhia
Senior Product Manager
AWS Cryptography
Amazon Web Services
S D D 3 3 3
Stephen Quigg
Principal Security SA
AWS Financial Services
Amazon Web Services

Agenda
AWS cryptography services: Choosing the right tool for the job
AWS CloudHSM fundamentals
Designing for resilience with cross-Region redundancy
Optimizing performance and cost
Recent launches for CloudHSM and what’s on the roadmap

Related breakouts
FND320: Root CA Hierarchies for AWS Certificate Manager
Private CA
4:15-5:15 Wednesday (205B)

Cryptography: What, how, and why

AWS cryptography services

AWS KMS
Your applications
AWS
services
Authentication
Authorization
Logging
KMS custom key
store
Your AWS
CloudHSM cluster
Native KMS
Shared HSM
Your on-
premises HSM
(BYOK)
Imported to
AWS KMS

The AWS Encryption SDK
• Framework and data format for client-side encryption
• Library that gives you authenticated envelope encryption
• Backed by AWS KMS or external key sources
• Implementations available for Java, C, and Python
• Specification is available if you want to implement in a different
language
• Supports data key caching
• Open source under Apache 2.0 license
• Built on language-specific crypto primitives

ACM Private CA
Organization
resources
On-premises servers
AWS resources
Devices
Amazon EC2

Life-cycle management for secrets such as database credentials
and API keys
Rotate secrets safely Pay as you goManage access with
fine-grained policies
Secure and audit
secrets centrally
Secrets Manager

Aspects of control in CloudHSM
Control
Application
development
Algorithms and
key lengths
User management
Specific
compliance

Control implies responsibility
Control
Application
development
Algorithms
and key
lengths
User
management
Specific
compliance
Responsibility
Application
integration
HSM
maintenance
Backups
ProvisioningHigh availability
User
management

CloudHSM simplifiesmanagement tasks
Responsibility
Application
integration
HSM
maintenance
Backups
Provisioning
High
availability
User
management

Concepts in CloudHSM
• Cluster
• HSM
• Backup
• Higher throughput: Expand cluster
• More active keys: New cluster
CloudHSM HSM
CloudHSM HSM
Synchronized
CloudHSM cluster

Concepts in CloudHSM, continued
• Cloned cluster
• Same trust hierarchy and masking key
• Can synchronize keys within FIPS envelope
Automatically
synchronized
CloudHSM cluster
Create cluster
from backup
Cloned CloudHSM
cluster

Two ways to use CloudHSM
• HSM-based master key unlocks data keys (e.g.,
database TDE)
• Durability is primary concern
Direct transactions
• HSM is in path of every transaction (e.g.,
OpenSSL)
• Availability and latency are critical
Master key
stored in
HSM
Data keys are encrypted
with master key
Envelope encryption

Meet the characters
Service API: Manage your cluster
• Console
• Command line
• Shows in AWS CloudTrail
CLI tools: Use your HSMs
• CloudHSM_mgmt_util – HSM
administration
• Key_mgmt_util – Convenient for
infrequent key operations
SDKs: Application development
• PKCS#11
• OpenSSL
• JCE
Client Daemon: Talks to cluster
• Used by key_mgmt_util and SDKs
to interact with cluster
• Handles load balancing
• Is aware of cluster configuration
changes

CloudHSM_mgmt_util: Closer look
• Global mode: Default
• Talks sequentially to all HSMs in the cluster
• Doesn’t use client daemon: “Configure –m” before using the utility to update cluster settings
• Use this mode for routine operations
• Server mode: Use wisely
• Bypass cluster synchronization
• Talk to one HSM at a time
• Great power, great responsibility
• Use this mode as needed (e.g. to fix mismatched users or passwords or to manually synchronize keys
across cloned clusters)

Cross-region redundant workloads
Cloning allows secure cross-Region key replication
Step 1:
Copy backup to
new region
Step 2:
Create cluster
from backup
Ongoing:
Synchronize new
keys

Cross-region key transfer using wrapping
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
AESWrap newKey
with wrappingKey
AESUnwrap newKey
with wrappingKey

Cross-region key transfer using maskedObjects
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
extractMaskedObject
insertMaskedObject
key_mgmt_util

Syncing with Key_mgmt_util
[ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s
user1 -p pwd findKey
Command: findKey
Total number of keys present: 3
Number of matching keys from start index 0::2
Handles of matching keys:
6, 262151, 8
user1 -p pwd extractMaskedObject -o 262151 -out masked_object.file
Command: extractMaskedObject -o 262151 -out masked_object.file
Object was masked and written to file "masked_object.file“

Syncing with Key_mgmt_util
user1 -p pwd insertMaskedObject -f masked_object.file
Command: insertMaskedObject -f masked_object.file
Cfm3InsertMaskedObject returned: 0x00 : HSM Return: SUCCESS
New Key Handle: 262153
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
user1 -p pwd findKey
Command: findKey
Total number of keys present: 4
Number of matching keys from start index 0::3
Handles of matching keys:
6, 262151, 8, 262153

Masking vs. wrapping
Wrapping
Required for use within applications
Pros
• Can be automated in C/Java
• Can be used in any cluster where
wrapping key is loaded
Cons
• Does not work for non-
exportable keys
• Key attributes in new HSM
depend on unwrapping code
Masking
Required for non-exportable keys
Pros
• Key stays in FIPS boundary
• Constrained to cloned cluster
• Key retains attributes and policies
Cons
• Only usable via command line tools
(today)

Understanding HSM performance
Transaction = network round-trip + operation + (sometimes) synchronization

Multi-threading
increases throughput
for given latency

• Cryptographic operations on a key
handle give you maximum speed
• Attributes and labels require look up,
adding latency
• Caching the handle for frequently
used keys provides better speed

Two types of keys in the HSM:
• Token keys are persistent, synchronized
to all HSMs in the cluster
• Session keys are created on one HSM
and erased after the session
• You can create and unwrap keys as
session or token keys
• Session keys offer lower latency but no
durability

Cluster performance: When to add HSMs
During design:
• For reliability: 2+ HSMs per production cluster, spread across AZs
• For speed: As needed after threading and code optimization
At runtime:
• When latency of calls increases
Amazon CloudWatch metrics:
• HSMs with unhealthy metrics are autoreplaced by CloudHSM
• For missing metrics, consider proactively adding an HSM

Best practices for cost management
For development and test workloads:
• Pause billing: Delete HSM instances at the end of the workday
• Resume work: Create HSM instance to pick up where you left off
For production workloads:
• Leverage elasticity: Scale cluster up/down as workload varies
• Maximize utilization: Share lightly used cluster across accounts
• Optimize storage: Wrap data keys and store externally when not in use
Idle workloads: Draw down cluster to 0 HSMs; even delete cluster

Last year, we delivered:
• Client support for Microsoft Windows
• ADCA, IIS and Signtool integations
• JCE samples on GitHub:
https://github.com/aws-samples/aws-cloudhsm-jce-examples/
• Basic usage, optimizing performance, and handling HSM disconnects gracefully
• More code coming soon, contributions welcome!
• PKCS 2.40 compliance
• Client 1.1.1 onward
• Backup management
• Copy and Delete
• HSM Audit logs in CloudWatch

HSM audit logs in CloudWatch
User and key management is logged today
• Create/delete user and change password
• Login and logout
• Create/delete key and wrap/unwrap key
• Share key
Cryptographic operations are not logged today
• Encrypt, decrypt, sign, verify
Each HSM emits its own log stream

CloudHSM as custom key store for AWS KMS
Combines CloudHSM’s control with AWS KMS integrations
• Use CloudHSM-backed keys in most AWS services via AWS KMS
• One data protection pattern, multiple compliance levels

VPC
CloudHSM cluster
Customers’
applications
via AWS SDKs
AWS KMS standard
key store
AWS KMS
KMS endpoint
AWS KMS custom key store
KMS HSM fleet
50+ AWS
services
AWS Cloud
Custom key store
“connector”
Custom
clients using
PKCS#11, JCE, CNG

KMS
KMS BYOK
(ImportKey)
KMS CustomKeyStore
(CloudHSM)
Where keys are generated HSMs controlled by AWS HSMs controlled by you HSMs controlled by you
Where keys are stored HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you
Where keys are used HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you
How to control key use JSON key policies you
define
JSON key policies you
define
JSON key policies you
define
Responsibility for
performance/scale
AWS AWS You
Integration with AWS
services?
Yes Yes Yes
Pricing model $1/key + usage $1/key + usage $1/key + usage;
Hourly charge for each HSM
Comparison of AWS KMS master key providers

Thank you!
Avni Rambhia
arambhia@amazon.com
Stephen Quigg
squigg@amazon.com

Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019

Similar to Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Achieving security goals with AWS CloudHSM - SDD333 - AWS re:Inforce 2019