Skip to main content

3 posts tagged with "VPC"

View All Tags

AWS CloudFormation Best Practices: Create Infrastructure with VPC, KMS, IAM

· 7 min read
Arina Technologies
Cloud & AI Engineering
Arina Technologies
Cloud & AI Engineering

In today's fast-paced tech world, automating infrastructure setup is key to maximizing efficiency and reducing human error. One of the most reliable tools for this is AWS CloudFormation, which allows users to define their cloud resources and manage them as code. While AWS provides a Console for managing CloudFormation, the AWS Command Line Interface (CLI) is a powerful alternative that offers speed, control, and flexibility. In this blog, we'll walk you through setting up CloudFormation using AWS CLI, covering essential components like VPCs, KMS keys, and IAM roles.


1. Introduction to AWS CloudFormation


Before diving into technical details, it's important to understand what AWS CloudFormation is and why it's so beneficial.


What is AWS CloudFormation?


AWS CloudFormation is an Infrastructure-as-Code (IaC) service provided by AWS that allows you to model, provision, and manage AWS and third-party resources. You define your resources using template files (JSON or YAML) and deploy them via AWS CloudFormation, which takes care of the provisioning and configuration.


CloudFormation manages the entire lifecycle of your resources, from creation to deletion, allowing for automation and consistent environments.



Benefits of Using CloudFormation


  1. Automation: CloudFormation automates the entire infrastructure setup, from VPC creation to IAM role configuration, reducing manual work and errors.

  2. Version Control: Treat your infrastructure like code. With CloudFormation, you can manage your infrastructure in repositories like Git, making it easy to version, track, and rollback changes.

  3. Consistency: CloudFormation ensures that the same template can be used to create identical environments, such as development, staging, and production.

  4. Cost Efficiency: With CloudFormation, resources can be automatically deleted when no longer needed, preventing unnecessary costs from unused resources.


2. Why Use AWS CLI Over the Console?


AWS CLI vs Console: Which One is Better for You?


The AWS Management Console offers an intuitive, visual interface for managing AWS resources, but it's not always the most efficient way to manage infrastructure, especially when it grows complex. Here's how AWS CLI compares:

FeatureAWS ConsoleAWS CLI
Ease of UseEasy, intuitive UIRequires knowledge of CLI commands
SpeedSlower, due to manual clicksFaster for repetitive tasks
AutomationLimitedFull automation via scripting
Error HandlingManual rollbackAutomated error handling
ScalabilityHard to manage large infraIdeal for large, complex setups

Advantages of Using AWS CLI


  1. Automation: CLI commands can be scripted for automation, allowing you to run tasks without manually navigating through the Console.
  2. Faster Setup: CLI allows you to automate stack creation, updates, and deletion, significantly speeding up the setup process.
  3. Better Error Handling: You can incrementally update stacks and fix errors on the go with AWS CLI, making it easier to debug and manage resources.

3. Prerequisites


Before we start building with CloudFormation, let’s go over the prerequisites.


Setting Up AWS CLI


AWS CLI is a powerful tool that allows you to manage AWS services from the command line. To get started:


  1. Install AWS CLI:

  2. Verify Installation: After installation, verify that the AWS CLI is installed by typing the following command in your terminal:

    aws --version

    If successfully installed, the version information will be displayed.


Configuring AWS Profiles


Before using AWS CLI to interact with your AWS account, you'll need to configure a profile:


aws configure

You'll be prompted to provide:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Default region name (e.g., us-west-2)
  • Default output format (choose JSON)

This configuration will allow the CLI to authenticate and interact with your AWS account.


4. Step-by-Step Guide to AWS CloudFormation with AWS CLI


Now that your CLI is set up, let us get into how to deploy AWS CloudFormation stacks using it.


Setting Up Your First CloudFormation Stack


We will start with a simple example of how to create a CloudFormation stack. Suppose you want to create a Virtual Private Cloud (VPC).


  1. Create a YAML Template: Save the following template in a file named vpc.yaml:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      Tags:
        - Key: Name
          Value: MyVPC

  1. Deploy the Stack: To create the VPC, run the following command:

aws cloudformation create-stack --stack-name my-vpc-stack --template-body file://vpc.yaml --capabilities CAPABILITY_NAMED_IAM

This command will instruct CloudFormation to spin up a VPC using the specified template.


  1. Check the Stack Status: To verify the status of your stack creation, use:

aws cloudformation describe-stacks --stack-name my-vpc-stack

Deploying a Virtual Private Cloud (VPC)


A VPC is essential for defining your network infrastructure in AWS. Here’s how you can add more resources to your VPC, such as an Internet Gateway:


Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      Tags:
        - Key: Name
          Value: MyVPC
  InternetGateway:
    Type: AWS::EC2::InternetGateway
  VPCGatewayAttachment:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      VpcId: !Ref MyVPC
      InternetGatewayId: !Ref InternetGateway

Deploy this using the same create-stack command.


Setting Up Security with KMS (Key Management Service)


Next, we will add encryption keys for securing data:


  1. KMS Template:

Resources:
  MyKMSKey:
    Type: AWS::KMS::Key
    Properties:
      Description: Key for encrypting data
      Enabled: true

  1. Deploy KMS:

aws cloudformation create-stack --stack-name my-kms-stack --template-body file://kms.yaml --capabilities CAPABILITY_NAMED_IAM

Managing Access with IAM Roles


IAM Roles allow secure communication between AWS services. Here’s an example of how to create an IAM role:


Resources:
  MyIAMRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: ec2.amazonaws.com
            Action: sts:AssumeRole
      Path: /

Use the same create-stack command to deploy this.


5. Best Practices for AWS CloudFormation


Use Nested Stacks


Avoid large, monolithic stacks. Break them down into smaller, nested stacks for better manageability.

Resources:
  ParentStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/path/to/nested-stack.yaml

Parameterization


Use parameters to make your stacks reusable across different environments.


Parameters:
  InstanceType:
    Type: String
    Default: t2.micro
    Description: EC2 Instance Type

Exporting and Referencing Outputs


Export important resource values for use in other stacks:


Outputs:
  VPCId:
    Value: !Ref MyVPC
    Export:
      Name: VPCId

Incremental Stack Updates


Always update your stacks incrementally to avoid failures.

aws cloudformation update-stack --stack-name my-stack --template-body file://updated-template.yaml

6. Advanced CloudFormation Features


Handling Dependencies and Stack Failures


Use the DependsOn attribute to specify dependencies between resources to avoid issues with resource creation order.


Custom Resource Creation


For advanced use cases, you can create custom resources by using Lambda functions or CLI.


7. Conclusion and Next Steps


By using AWS CloudFormation with AWS CLI, you can automate your infrastructure, reduce errors, and scale your environment effortlessly. Continue learning by experimenting with more complex templates, incorporating advanced features like stack sets, and automating further with scripts.

Code shown in the video can be accessed from https://github.com/arinatechnologies/cloudformation

Your Data, Your Keys, Your Control: Bring your own keys to AWS CloudHSM - Part 2

· 4 min read

When managing sensitive data in the cloud, organizations increasingly seek control over their encryption keys. Amazon Web Services (AWS) allows for this with the Bring Your Own Key (BYOK) feature, which integrates seamlessly with AWS Key Management Service (KMS) and CloudHSM. This guide provides a step-by-step approach to setting up BYOK in AWS, enabling you to maintain strict control over key management processes while leveraging AWS's secure infrastructure.


Preliminary Steps: Environment Setup



1. Prepare Your EC2 Instance


First, establish a secure environment on your EC2 instance by creating a new folder specifically for this process:


mkdir /opt/vb-hsm/hsm-10
cd /opt/vb-hsm/hsm-10

2. Create the AWS KMS Key


AWS KMS Key


Initiate a KMS key with no key material:


aws kms create-key --origin EXTERNAL --region us-east-1

Record the key ID displayed in the output as you will need it for subsequent steps.


Configuring the Key Alias


Configuring the Key Alias


Create a user-friendly alias for your new KMS key to simplify management:


aws kms create-alias --alias-name alias/byok-mrk --target-key-id YOUR_KEY_ID

Preparing for Key Import


3. Retrieve Import Parameters


Retrieve Import Parameters


Generate and save the necessary parameters for key import:


aws kms get-parameters-for-import --key-id YOUR_KEY_ID --wrapping-algorithm RSAES_OAEP_SHA_256 --wrapping-key-spec RSA_2048 --region us-east-1 > ./WrappingParameters.json

4. Extract and Prepare the Import Token


Extract and Prepare the Import Token


Extract the import token and public key, converting them into usable formats:


jq -r '.ImportToken' ./WrappingParameters.json > ./ImportToken.b64
echo -e "-----BEGIN PUBLIC KEY-----\n$(jq -r '.PublicKey' ./WrappingParameters.json)\n-----END PUBLIC KEY-----" > ./PublicKey.pem
openssl enc -d -base64 -A -in ./ImportToken.b64 -out ./ImportToken.bin

Importing the Public Key to CloudHSM


5. Initialize Crypto User Environment


Crypto User Environment


Set the environment variables to operate as a crypto user in CloudHSM:


export CLOUDHSM_ROLE=crypto-user
export CLOUDHSM_PIN=cu_user1:password123

6. Import the Public Key


Import the Public Key


Import the public key to your HSM:


/opt/cloudhsm/bin/cloudhsm-cli key import pem --path ./PublicKey.pem --label wrapping-key-example-11 --key-type-class rsa-public --attributes wrap=true

Key Wrapping and Import


7. Generate or Import Your Symmetric Key


Generate or Import Your Symmetric Key


If you do not already possess a symmetric AES key:


/opt/cloudhsm/bin/cloudhsm-cli key generate-symmetric aes --key-length-bytes 32 --label byok-kms-13

8. Wrap the Symmetric Key


Wrap the Symmetric Key


Use the imported public key to wrap your symmetric key:


/opt/cloudhsm/bin/cloudhsm-cli key wrap rsa-oaep --payload-filter attr.label=byok-kms-13 --wrapping-filter attr.label=wrapping-key-example-11 --hash-function sha256 --mgf mgf1-sha256 --path ./KMS-BYOK-May2024-11-wrapped.bin

9. Import the Key Material to KMS


Finally, import the wrapped key material into AWS KMS:


aws kms import-key-material --key-id YOUR_KEY_ID --encrypted-key-material fileb://KMS-BYOK-May2024-11-wrapped.bin --import-token fileb://ImportToken.bin --expiration-model KEY_MATERIAL_EXPIRES --valid-to 2024-09-01T12:00:00-08:00 --region us-east-1

Read about Key Management


Conclusion


By following these steps, you've successfully integrated BYOK with AWS KMS using CloudHSM, granting you enhanced control over your cryptographic keys. This process not only ensures compliance with stringent regulatory standards but also enhances the security posture of your cloud deployments. Remember, managing your keys securely involves careful planning and execution to protect your data effectively.

Your Data, Your Keys, Your Control: Bring your own keys to AWS CloudHSM - Part 1

· 4 min read

Amazon Web Services (AWS) CloudHSM offers a robust solution for securing cryptographic keys and operations within the cloud, leveraging hardware security modules (HSMs) to enhance security. This guide walks through the process of setting up an AWS CloudHSM environment, from configuring EC2 instances to initializing and managing the HSM cluster.

Initial Setup: EC2 and CloudHSM Cluster

CloudHSM Cluster CloudHSM Cluster CloudHSM Cluster CloudHSM Cluster

EC2 Configuration

  • Instance Selection: Start by provisioning an Amazon EC2 instance, choosing either a t2.micro or t2.small with Amazon Linux 2.
  • VPC Configuration: Ensure that the EC2 instance is set up within the same Virtual Private Cloud (VPC) as the intended CloudHSM cluster to facilitate seamless connectivity.

CloudHSM Cluster Creation

  • Access AWS Console: Navigate to the CloudHSM section within the AWS Console and start the process by selecting "Create Cluster".
  • VPC and AZ Selection: Choose the appropriate VPC and for simplicity in this setup, select only one Availability Zone (AZ), though typically two is recommended for better resilience.
  • Cluster Configuration: After providing necessary configurations like backups and tags, create the cluster. Once created, the cluster status will initially show as Uninitialized.

Initializing the CloudHSM Cluster

Key Management

Key Management Key Management
  • Generate Key Pair: Before initializing, generate a new RSA key pair referred to as the customer key pair. This involves creating a private key and a corresponding self-signed certificate using OpenSSL commands.

Cluster Initialization

Initializing Cluster Initializing Cluster
  • CSR Process: Navigate to the 'Initialize' action in the CloudHSM console and create an HSM instance in your cluster. You will need to download a Certificate Signing Request (CSR).
  • Sign CSR: Use the previously generated private key to sign the CSR. This confirms your ownership of the HSM cluster.
openssl x509 -req -days 3652 -in <Cluster_ID>_ClusterCsr.csr \
    -CA customerCA.crt -CAkey customerCA.key -CAcreateserial \
    -out <Cluster_ID>_CustomerHsmCertificate.crt

Upload Certificates

Upload Certificates
  • Finalizing Initialization: Back in the AWS CloudHSM console, upload the signed cluster certificate and your issuing certificate. After uploading, finalize the initialization.

Activating the Cluster

Once initialized, configure the issuing certificate on each EC2 instance connecting to the cluster to enable the cluster's activation.

/opt/cloudhsm/bin/cloudhsm-cli interactive
cluster activate

Configuring HSM CLI and User Management

Configuring HSM CLI and User Management Configuring HSM CLI and User Management

HSM CLI Setup

CLI Setup
  • Install CLI: Download and install the CloudHSM CLI tools on your EC2 instance.
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL7/cloudhsm-cli-latest.el7.x86_64.rpm
sudo yum install ./cloudhsm-cli-latest.el7.x86_64.rpm

User Setup

  • Create Admin User: Utilize the HSM CLI to create an admin user. Once the admin user is set up, log in and start managing the HSM cluster.
user create --username admin --role admin
login --username admin --role admin

Crypto User Creation

  • Manage Keys and Crypto Operations: Create crypto users (CUs) who will manage and use cryptographic keys. Each CU can create, delete, share, import, and export keys, and perform cryptographic operations like encryption and decryption.

Conclusion

AWS CloudHSM provides a secure platform for cryptographic operations in the cloud. By following these detailed steps, you can set up your CloudHSM cluster, manage keys and users, and ensure high security and compliance with organizational standards. This setup not only enhances security but also provides a scalable solution for managing cryptographic keys and operations efficiently.