Problem:
Companies of all sizes seek reduction of IT operational costs and as a result, migrate their business processes to a public cloud. In reality, companies operate in-house maintained applications that are integrated with applications being run in public cloud such as AWS. However, it is a challenge to unify certain services while being operated in such a multi-domain environment. As an example of such services, PKI (public key infrastructure) can be mentioned. The core of PKI is HSM appliances (SW or HW) such as CORAC KeyMaster or other HSM types operated in-house. However, in case that in-house HSM loses connection to AWS Key service, some PKI processes are limited and may negatively affect business processes.
Solution:
Key integration:
In order to extend PKI strategy to AWS it is important to create a process for integration with AWS Key service. AWS BYOK solution allows customers to generate their own encryption keys (AES-256) with on-prem HSMs and upload such a key to AWS KMS. In order to export the key in a secure way, it is necessary to encrypt it (wrap it) using a public key generated by AWS KMS.
....