AWS CloudHSM Hands on lab - How to create, initialize and activate an AWS CloudHSM cluster?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Alone question. Why are clusters still a thing when high availability is less expensive and you stretch to more than one data center without the “may not be so reliable” architecture?

👍︎︎ 1 👤︎︎ u/teknosapien 📅︎︎ Apr 15 2021 🗫︎ replies

Captions

hello all and welcome to this hands-on lab in our lab today we will see how to create initialize and activate an aws cloud hsm cluster couple of things to keep in mind before we proceed further ahead using aws services leveraged in this lab might incur charges hence ensure that you clean up all resources after completing this lab scenario for our lab today your team is planning to leverage aws cloud hsm cluster to create an aws kms custom key store for your project you being one of the team members have been tasked to provision initialize and activate it an aws cloud hsm cluster for your team so that they can go ahead and create a custom keystore right so your primary task is to get this cluster up and running such that your team can leverage it in the future to create a custom keystore prerequisites is of course knowledge of kms knowledge of cloud hsm and what is a custom key store so if you already know this just move further ahead if you don't know any of these services please feel free to refer to these videos or you can even read up the aws documentation reference urls so we have three reference urls over here the first two urls has most of the commands that we will be leveraging today so in case you want to copy those commands just go to these urls i will have them posted in the description of this video the last url basically talks about the prerequisites or what is needed in order to ensure that you know you can create a custom key store right from a cloud hsn perspective so once the cluster is up and running people we will basically review through all the p-rex in this article to ensure that our cluster meets the requirements so let us begin with this hands-on lab the first thing that we are going to do is we are going to go ahead and provision our cluster using aws console right so this is our first step i will be provisioning this cluster in my default bpc across two subnets but if you have your own vpc feel free to do that ensure that it is at least across two subnets and availability so okay so let me switch real quick before i jump in this is the first url that talks about initializing the cluster and this is the second one that talks about activating the cluster i mean refer to these urls uh whenever you get some time right these are the two reference urls that i mentioned earlier okay this is my aws console this is cloud hsm and let's go ahead and create our cluster right so let me go over here and click on create cluster i'm going to select my default vpc and i am going to select two subnets right over here so i'm going to select us east 1a and us east one b okay and then cluster sources create a new cluster next ensure that you change this backup retention to seven that is the minimum number of days and after this lab is over while you're deleting your cluster right ensure that you also delete the backup next if you want to give any tags review right and create cluster so this cluster creation takes about on a good day 10 10 minutes or so but on bad days or when the service is really slow sometimes it can potentially take about 15 to 20 to 25 minutes as well so be patient right as you see it's in progress it takes a little while and we will come back to this cluster shortly okay so we have basically completed this step next is to initialize our cluster the first thing that we are going to do is we will basically go ahead and create an aws hsm so the cluster that we've just provisioned we have to wait that for that cluster to come up right and then we will go ahead and initialize our cluster so we will select the initialize option from a menu right and then select one of the availability zones to provision our first hardware security module in this cluster once the hsm module has been provisioned we will have to wait for it to be activated right okay so let's see if this cluster is up and running does not look like it is okay so it's going to take some time i'm going to pause this video and come back in a little bit so our cluster has been created as you see right it's right there and this is the cluster id and currently is in an uninitialized state okay so let us continue further ahead we were just reviewing the steps for initialization right here so we will go ahead and initialize our cluster so we'll select our cluster right go to actions select initialize and we will have to select the first ac where we want to create our first hsm so this is going to be in us east one this is a subnet that i'm leveraging and click on create and our first hsm is currently being created so we have completed these two steps and once it's provisioned it will be active okay so let's see what we have here if i have to go down the create is still in progress okay so this should take a couple of minutes we will wait for this to finish and in the meantime right we will go ahead and create an im user named hsm user with permissions to initialize the cluster you can leverage cloud hsl's full access existing policy for this particular lab of course in real life you can create your own custom policy but right now i'm just going with the full access policy okay and ensure that after you create this user you copies username password access key id and secret access key okay so let us go ahead and do that while the hsm is being provisioned go to im right and over here we will create a new user so users add user and i'm going to say hsm user right programmatic access console access custom password whatever password you want to give so i'm going to say hsm user right two or three i don't know something like that that's good and i don't want the user to reset the password so ensure that you copy your username okay if you're like me if you forget what your usernames and passwords are during the lab so there you go and i don't want this user to reset its password so uncheck this it's a custom password next attach existing policies and we are going to look for cloud hsm i'm going to give full access right because remember this user needs to act uh needs to have the right to initialize this cluster next next we'll review everything and create okay so copy the access key id copy that paste it right there and the secret access key show copy that and paste it right there okay so now let's go back to our cloud hsm and see if our hsm has been provisioned this is a cluster and it's still in progress okay we will wait for it to come up okay so let's continue further ahead so we've completed these steps we are still awaiting our hsm to be active right so let's continue further ahead though okay so what we need to do in the next step is we need to download the certificate for our cluster now if you have open ssl on your machine right then use that let's say if you don't have or you don't want to download anything on your machine right in that case for this lab at least leverage an ec2 linux instance and this could be a t2 micro instance you know from your free tier so let us go ahead and now provision this instance right it's going to be a t2 micro linux ec2 instance in your default vpc with public ip enabled and port 22 enabled and once our instance is up we will ssh into our instance okay so let's go back i don't think this is up yet no it is not okay go up to easy two and here we will provision our linux easy to install for launch instance go to free tier this is the next two ami so that's good t2 micro we will enable public ip it should be in your default ppc okay and storage is fine tags are fine security group now if you have an existing security group use that otherwise provision a new security group the only port that you need open is 22 at the start i have an existing security group that is ec2hg this particular security group has both 22 and 80. now 80 is not needed all that you need at this time is 22. but i'm just going to go ahead and reuse my ec2 security group review and launch launch and launch instances for instance should be up and running in a little bit right so this is our give it a name say cloud hsm ec2 cloud okay i didn't like for whatever reason i didn't like it but that's okay i'm going to go ahead and copy his public ip address and we will now go ahead and basically go to r keep s over here only if i can find my keyboard okay so this is my key pair change the font and we will ssh into this so sup and running easy to hyphen user okay so we have completed these two steps the next thing that we need to do is we need to configure our hsm user on our ec2 instance to be able to use aws cli so let us go ahead and do that so i'm going to say aws configure access key id right so this is my access key id i'm going to copy that paste it right there secret access key this is my secret access key my region is us east once i'm going to put that and default format is fine okay so user is configured successfully so we have completed this step now the next thing that we need to do is we need to go ahead and download our clusters csr certificate with this command that is mentioned here now this command is mentioned in the initialize url that i have given so if you want to go ahead and copy from there i have copied it over here in my notepad and i had also copied the cluster id earlier right there so this is the cluster id let us go back and check if our cluster hsm has been provisioned or not so this is a cluster and it looks like our hsm is active awesome okay so this is the cluster id ensure that if you have not copied your cluster id copy your cluster id i have copied it right there this is the command to describe the clusters okay and download that cluster certificate file and what i'm going to do is i'm going to replace this cluster id with my cluster id right so this is the cluster id right there okay let me copy it again and paste it right here okay i'm gonna copy this particular command and go back here if you want to clear you can clear and paste it right there enter it looks like it's now stable recommend use i think okay let's see that we have anything missing over here i think we are good right let me just copy it once again and paste this right here okay it looks like it can does not like my cluster id at all okay let's see i think i have a space so if you make these mistakes like how i am making right just go back and revisit there you go revisit that command the problem was that there was a space over here between the equal to sign and plus off there was no space after the cluster id anyway so we have basically downloaded this certificate successfully if you do ls minus l you will see that the cluster certificate is right here okay so we basically completed this step the next thing that we will need to do is we will need to sign a certificate and for that we will need to provision a private key so this is the command to provision that private key so let us copy that particular command so i have it right here i'm going to copy this command and this is going to provision that private key so private key has been provisioned as you see it is generating the private key and it is asking me to enter a passphrase i'm going to keep my passphrase same as my user name so hsm user keep it simple guys okay hsm user okay and i'm going to copy that passphrase right there over here in notepad as well so that i don't forget it right there okay so our passphrase has been generated our key has been generated right so you see this is our customer ca key this is the private key so we completed this step now we will use this particular private key to create a self-signed certificate right so remember that we downloaded the certificate we will have to sign it okay so let us go ahead and do that i'm going to go ahead and copy that particular command right here right and paste it right there we have to enter the passphrase and country name i'm going to give u.s i don't know city i don't know some city organization is name organization unit doesn't matter i don't want to give a common name email address is fine okay so we basically created this and i'm going to go ahead and do ls minus l and you will see that this particular certificate has been created so this is a cluster certificate this is a key this is the certificate that we just created and the next step that we need to do is we need to sign our cluster csi as i mentioned earlier right leveraging this particular certificate and right there okay so let me go ahead and copy this particular command and before i do that i will need to copy the cluster id and replace it right there so paste paste it right here right so this is our cluster certificate right the first one the second one is the certificate that we just created then is our key and finally is the assigned certificate that we want to create okay so go ahead and copy this particular command come back here clear paste it or enter the passphrase okay it has succeeded so let us now go ahead and look at the files so this is our cluster certificate that we downloaded this is the sign certificate this is the of course for the certificate that we created the sign and this is our key okay so we have successfully signed our cluster csr leveraging this particular command now we need to go ahead and initialize our cluster and we will do that leveraging this particular command if our command is successful then the status will change to initialize on completion okay so let's go back over here copy this command and then again i have to replace the cluster id so i'm going to copy my cluster id and paste it right here again similarly remember we created the sign certificate put the cluster id right there and copy this command clear and paste it right here okay so it looks like our command was successful and our cluster is initializing and as i mentioned earlier the state will change to initialize upon completion so the initialization is currently in progress if we actually go back and go to clusters you will see that the status has changed it's currently showing that initialize is in progress just refresh this it does take some time for this particular cluster to get initialized okay and let us come back so we have successfully completed these steps of course it's the initialization is in progress but our success our cluster will be successfully initialized right so we've provisioned a cluster we have initialized the cluster the next thing that we need to do is we need to activate a cluster and in order to do that we will have to perform some steps the first thing that we will need to do is we will need to download and install aws cloud hsm client on our ec2 instance and these are the commands for that it should actually be trying i missed that word over there sorry about that okay so i'm going to go ahead and copy that particular command okay so this is the command you will see that it will download so i'm going to clear this paste it right there okay download it successfully and after that we are going to basically go ahead and install it so let me [Music] go ahead and copy this particular command right and paste it right here so it's installing it's installed successfully i'm going to clear my screen and we have successfully completed these two steps so now we have downloaded and we've installed the aws hsm client the next thing that we need to do is we need to edit the client configuration so for that we will need to switch to the root user and you can do that by executing this particular command sudo su right so i'm going to copy sudo su go back so now you see we are using the root user and then the next thing that we need to do is we need to copy a cluster certificate to this particular path and the command to do that is right here right so i'm going to copy that copy command so go here copy the command right and this command will copy the certificate to that particular path so it looks like it has copied okay this is the original uh path and we will now say cd and i'm going to copy this particular directory right and now let us do ls minus l and a certificate should be copied over here so as you see it's it's right there customer see a cert right it's got copied successfully okay i'm going to clear this so we've completed these two commands the next thing that we are going to do is we are going to modify the configuration of aws cloud hsm client to update our hsm's ip address and this is the command to do that but before we go and update the ip address we have to get the ip address right so let's go back and hopefully this has initialized okay it's initialized there you go the status has changed that's good news click on your cluster go to your hsm this eni ip address is the ip address that you want to copy right and then you want to come back here and paste it right there basically just replace this ip address with your ip address copy it go back and paste it right there hit enter so it's updating the server configs that is the client config and the management util file so we have basically completed this step now the next thing that we will need to do is we will need to log into hsn right this is that's our cluster and we have also provision one hsm in it using credentials of this pre-crypto officer that is pre-co now this is uh typically done for the first hsm as i've mentioned over here right in a new cluster that contains a user it's nothing else but the admin user with the default username and password and when you change the password right you will see that that admin user which has the type preco will eventually then become crypto officer okay so let us go ahead and login and see how we can do this okay so in order for us to do that we will have to first start the cloud hsm management utility okay we will do that using this particular command so go back over here copy this right and paste it right there over here okay then copy it see if it's copied now okay now let's see if it successfully connects to this port or not remember it is communicating on this particular port and when we provisioned our ec2 instance right remember the only port that we had opened up was 22. so this will actually fail but i wanted to show this to you right so that if i make a mistake while i'm doing this if you get an error you know why you're getting an error if i would have straight away go on ahead and done it then probably you will not realize that hey it actually uses a special port anyways in order to do that we will need to modify the security group of our ec2 instance to ensure that this particular port range is open we also need to ensure that a cloud hsm security group can also communicate on this particular port with our ec2 security group so let us go ahead and change these to security groups so let us go to ec2 and then go to security group okay now before i do that i did not capture my cloud hsm security group name so in order for me to do that i'll have to go back and in fact i can basically even click from there itself on the security group right so this is the security group for my cloud hsm cluster so click from right here and it will go there and you can select the security group and you will see that this particular port range is open now this is 223 to 225 which is fine okay edit inbound rules and this is the default security group that is the current one right now what we need to do is we need to ensure that our ec2 instance can communicate with cloud hsn and for that we will have to ensure that our ec to sg is mentioned over here right if you right there so basically if you want you can actually make it 222 as well otherwise 223 is also fine this is the general range okay so i've added our ec2 security group over here save rules right for our inbound communication and the same thing is going to be true for our outbound communication as well i'm going to say ec2 and then save rules okay so both are inbound and outbound rules have been changed to ensure that cloud hsm can communicate with our ec2 instance right and remember that it ec2 is actually using uh this port to 2225 and as you see the connection has failed now let us go back to our ec2 groups and look for our ec2sg right there okay so inbound rules remember we only had port 22 and 80 in my case otherwise in your case it will only be port 22 edit inbound rules and here we are going to add a new rule it's going to be custom tcp now again i'm going to say 222 you can also have a 223 but ensure that it covers this range right and here we will have to select our cloud hsms security group so it's right there right and save rules for outbound rules i think the communication is open yes it is okay so we have made our required changes right remember it's communicating on port triple to five so now let's go back hopefully these changes have been implemented and if our changes are successful this connection should also be successful so let us try and execute this command all over again there you go our changes were successful and now our ec2 instance is communicating with our cloud hsn over port 2225 2225 okay now you see over here you at the bottom right there you see aws hyphen cloud hsm right where the cursor is there in green so you basically completed these steps and now we will be able to log in to our hsn and the command to do that is right there right so i'm going to go ahead and copy that particular command and paste it right here okay so it's saying login is successful as you see right there and now of course the reason why we logged in was to change the password but before we change the password remember what i had mentioned earlier that when you log in for the first time the default user right is has the type pre-code and after you change the password it changes to co so it's right now it's a pre-kept officer then it will become decrypt officer okay so let us verify that and for that we will run this command call as list users hit enter and there you see this is the admin user and the type is preeco all right so it's currently in a prequel state now that's what we want to change you want to change this pre-code to go so we logged in we enlisted all the users it is try preco and now we will change the password okay so scroll down now you'll have to give a new password and i'm going to use new password as new password okay so i'm gonna substitute whatever password you have i'm gonna copy new password as my password so this is my password okay copy this go back paste it right there remember your new password is actually new password okay hit enter you want to continue changing the password yes password was changed successfully let us verify if the password was changed successfully you'll be able to similarly do list users again so hit enter and if you see username admin the type is now changed to crypto officer so password change was successful right so basically you changed the password successfully remember the password okay in my case just to keep things simple the new password for me is actually new password together that's my new password that i'm highlighting okay and if this was truly successful this of course changed the co but most importantly our cluster should activate let us go back and check if this thing activated there you go you see status is active so we are in business that is good so we have completed all of these steps successfully so now our cluster is active maybe we are ready to hand it over to our team who wants to create a custom key store or maybe not let us see now our cluster is ready but is it really ready for aws kms to create a custom key store let us review the prerequisites this is the url this was the third reference url as well right and i'm basically going to go ahead and copy that right so this is the url open this url i'll have this posted in the description as well right i'm just going to paste it right there now it mentions over here that the aws cloud hsm cluster that you select must have the following characteristics you'll be able to be leveraged as uh you know for yk aws km has to create a custom [Music] key store it should be active so it is active it should be in the same account and region which it is it cannot be associated with any other custom key store in the account it is not it's a brand new cluster okay and most importantly it should have two private subnets and two of different availability zones i think when we provisioned the cluster we did that right remember i told you select two different subnets and two different availabilities so i think we are covered over there uh the cluster security group should have these ports open good you're good over there so all of these we are good with the last one the cluster must contain at least two active hsms in two different availability zones let us go back and check this is a cluster it has two azs two subnets it's active right of course we know it's brand new nobody's using it but it has only one hsm that means this particular cluster cannot be leveraged to create a classroom key store in order for us to be able to do that we have to create another hsn in a different subnet in a different availability so so click on create hsm select a different a z and a subnet click on create and now it is provisioning another hsn right now it will take some time for it to provision this hsn but you see that it is going to be in a different aaz and a different subnet so it's coming up this is the ip address right and if the creation is still in progress it takes a little while for this particular hsm to come up so in order for your team to be able to create the custom keystone you need to have two hsms the two different availabilities one we did do that so hence we went ahead and provisioned another hsm in a different availability so once the hsm is up and running and active then all your steps from an hsm perspective will be over of course if there are any changes that are required your team will let you know but at this point of time you are in good shape you can now pretty much hand this cluster over to your team and tell them that if anything else is needed they will let you know or otherwise they can go ahead and make any changes that are needed as well so guys i hope that this particular lab was helpful this is pretty important that that's why i went a little slow as well i hope that you guys understood what i was trying to accomplish over here and how typically a cloud hsm cluster is provisioned right and how we provision hsms within the cluster as i said please ensure that you delete all resources right and also ensure that you delete backups as you see it's creating backups for me so ensure that you delete and clean up all resources that's your cluster hsms your ec2 instance your user and your backups ensure that all of that is cleaned up okay guys that's it from me today and i will see you shortly in some other video till then take care bye

Info

Channel: NamrataHShah

Views: 1,395

Rating: 4.9000001 out of 5

Keywords: Hand-on lab, Namrata H Shah, Namrata Shah, NamrataHShah, AWS, HSM, KMS, Hardware Security Module, Overview, Cloud Computing, Amazon Web Services, How to create, initialize and activate an AWS CloudHSM cluster, CloudHSM cluster, initialize cluster, activate cluster, AWS Security, Cloud Security, Trusted Advisor, IAM Policies, Key Management System, cloud computing, security, aws training, key management

Id: Y6agOjSWAKU

Channel Id: undefined

Length: 42min 17sec (2537 seconds)

Published: Tue Apr 13 2021