Deploying vSRX Virtual Firewall 3.0 for Securing Data using AWS KMS

A wrapper library is available in Junos to enable VPN and other applications (such as mgd) to integrate and to communicate AWS KMS with vSRX Virtual Firewall 3.0. This wrapper library provides interface to Key Management Service (KMS) using PKCS#11 APIs. Junos applications use this wrapper library with updated support for AWS cloud platform to communicate with KMS.

To enable and setup vSRX Virtual Firewall 3.0 to access KMS on AWS.

1. Launch vSRX Virtual Firewall 3.0 instance on AWS.

2. Setup KMS and DynamoDB for vSRX Virtual Firewall 3.0.

   Before you can use vSRX Virtual Firewall to communicate with KMS service, you need to setup AWS environment/account by doing the following:

   1. Create a DynamoDB table.

      DynamoDB service on AWS is used by KMS PKCS11 process to store and to manage key information created by vSRX Virtual Firewall 3.0 applications. Hence a dynamo DB table needs to be created and the name of table created should be passed on to vSRX Virtual Firewall 3.0.

      Use the web console or the CLI to create the DynamoDB table. In the web console, you have an option to navigate to DynamoDB->Tables and create new table that stores the keys.

   2. Create IAM role to enable access for vSRX Virtual Firewall 3.0 instance.

      KMS service is available for EC2 instances such as vSRX Virtual Firewall on AWS. As mentioned above once the DynamoDB table is created, for vSRX Virtual Firewall to use the service, IAM roles with access policies need to be enabled and bound to the instance. vSRX Virtual Firewall will also use Cloud Watch to log any events, hence policies to enable this service for instance are also needed.

      These policies are minimum required to enable vSRX Virtual Firewall instance to use KMS service. Once the role is created, you can then attach this IAM role to the instance from GUI or using AWS CLI.

      The IAM role should include the below access policies:

      • AWS Managed:

        • AmazonS3ReadOnlyAccess

        • AmazonSSMReadOnlyAccess

        • CloudWatchFullAccess

      • Custom:

        • DynamoDBTableFullAccess

        • KMSFullAccess

3. Attach IAM role to vSRX Virtual Firewall instance.

   After creating the IAM role, attach it to the vSRX Virtual Firewall instance either from GUI or using AWS CLI.

   To attach vSRX instance in web console, navigate to the instance. On the top corner of the web console, click Actions  Security  Modify IAM role. Attach the created IAM role. See IAM roles for Amazon EC2.

4. Check HSM status using the show security hsm status command. This CLI output is updated to display DynamoDB being used along with HSM reachability, Master binding Key(MBK), and Master Encryption Key (MEK) status. Initially, the HSM status shows accessible as No.

5. For HSM service to be accessible, the vSRX instance must specify the DynamoDB table where the keys are stored. Specify the DynamoDB table using he request security hsm set dynamo-db <name_of_the_dynamodb> command.

   When you run this command, the HSM status will change to accessible and the AWS dynamoDB will show the bounded dynamoDB table.

6. After enabling the KMS service, you need to specify the Master Encryption Key (MEK) using the request security hsm master-encryption-password set plain-text-password command on vSRX Virtual Firewall 3.0.

   Once you specify the MEK, vSRX Virtual Firewall 3.0 creates the RSA 2048 key pair (MBK) in KMS and encrypts MEK using Master binding Key (MBK) in KMS. MEK is then used as a key for encrypting data at rest such as hash of configuration, private key pair files and master-password file, if present.

7. Change the Master Encryption Password.

   If you want to change the master encryption password then you can run the request security hsm master-encryption-password set plain-text-password command from operational mode:

   Note:

   It is recommended that no configuration changes are made while you are changing the master encryption password.

   The system checks if the master encryption password is already configured. If master encryption password is configured, then you are prompted to enter the current master encryption password.

   The entered master encryption password is validated against the current master encryption password to make sure these master encryption passwords match. If the validation succeeds, you will be prompted to enter the new master encryption password as plain text. You will be asked to enter the key twice to validate the password.

   The system then proceeds to re-encrypt the sensitive data with the new master encryption password. You must wait for this process of re-encryption to complete before attempting to change the master encryption password again.

   If the encrypted master encryption password file is lost or corrupted, the system will not be able to decrypt the sensitive data. The system can only be recovered by re-importing the sensitive data in clear text, and re-encrypting them.

This topic provides you AWS Cloud Formation Templates (CFT). You can deploy these templates using AWS CLI or web console to create the DynamoDB table and the IAM roles using the CloudFormation service, by creating CloudFormation stacks for each as mentioned in this topic.

• To create a CloudFormation stack you can do one of the following:

  • Deploy the CloudFormation stack using CLI- Refer to the below YAML files and sample commands to create a CloudFormation stack.

  • Deploy using the Web console.

    • Navigate to CloudFormation ->Create Stack-> and click Create template in designer. There is an option at the bottom to select template and an option to select YAML format at the bottom right.

    • Paste the attached sample template and save it by clicking the Save option. You will be prompted to save the file in S3 bucket. After you save the template, the S3 bucket location is specfied.

    • Copy the S3 bucket location paste it in CloudFormation-> Create Stack->Template is ready->S3 URL. Follow the prompts and click Next to create the stack. When you follow the prompts, enter the stack name given in the YAML file.

    Note:

    If you are having problems deploying the template or creating DynamoDb table using AWS GUI, please contact your administrator and make sure your account has permissions. While creating DynamoDB, refer the guidelines at Naming Rules and Data Types.

    If you are using the below YAML files for creating CloudFormation stack through a web console, then ensure that you enter the stack name as mentioned in the YAML files after you specify the S3 URL and click next.

    For example, in the lAM role YAML file, the name of DynamoDB stack created by the DynamoDB YAML file is referenced. If you provide an incorrect stack name, then that will cause errors while forming the CloudFormation stack.

    See Cloud Formation Template for DynamoDB for information on AWS Cloud formation templates for DynamoDB.

    See Cloud Formation Template to Create IAM Role for information on AWS Cloud formation templates for creating lAM role.

• Cloud Formation Template for DynamoDB
• Cloud Formation Template to Create IAM Role