Topics on this page
TLS Requirements for AWS
For the AWS platform, a TLS inspection policy requires:
-
Access to AWS Certificate Manager (ACM) or S3. Configure your ACM or S3 connection before adding your server to be proxied. For optimal security, make sure that your appliance's access to the certificates in the ACM or S3 is limited to Read-only.
-
Certificate ARN loaded through ACM or S3. This is your protected server's public key certificate that pairs with the private key. The total certificate file size cannot exceed 512 KB. This includes a 32 KB limit for each certificate and a maximum private key PEM size of 8 KB.
-
Permissions to enable an Identity Access Management (IAM) user role or group to create a TLS service policy. For optimal security, configure only the minimum required permissions. Your appliance's IAM role must have a policy that gives it Read and List actions to the certificate manager and the certificates required for decryption. To configure these permissions, navigate to Identity and Access Management. From there, select Policies from the navigation and then you can create an ACM policy, an S3 bucket policy, and a SecretsManager policy.
To create an ACM policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):
<pre class="code" xml:space= "preserve">{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"acm:ExportCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate"
],
"Resource": "arnidentifier"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"acm:GetAccountConfiguration",
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
}
]
}
To create an S3 bucket policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arnidentifier"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
}
]
}
To create a SecretsManager policy, click Create Policy, and then under the JSON tab, copy and paste the following permissions (replace arnidentifier with your unique ARN identifier for the resource):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "arnidentifier"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*"
}
]
}
Make sure your appliance has its own crypto user account with only the private keys needed for TLS inspection. This way, the secret that you create will have your appliance's user account credentials.
After you have configured each policy with its correct permissions, navigate to Roles and then click Attach Policy to attach each policy to the IAM role for your Network Security appliance. Learn more about creating an IAM policy and role. Learn more about limiting the IAM role's access to the AWS service.
-
Access to Hybrid Cloud Management (HCM). Configure your HCM connection before adding your server to be proxied. The HCM must reside in the same availability regional zone as the virtual appliance.
-
Access to a hardware security module (HSM). An HSM, such as AWS CloudHSM, is required only if you elect not to upload the private key from the wizard.
-
Access to AWS Key Management Service (KMS) and AWS Secrets Manager. For optimal security, create a KMS ARN for each of your appliances to ensure that all the keys on the filesystem are encrypted. If you delete, change, or make unavailable the KMS customer master key (CMK) in use by the appliance, the appliance will not be able to decrypt the private keys, and any associated TLS policies will be automatically disabled after a reboot.
-
Server to be proxied, and access to its private key. Although you can configure multiple proxies for TLS inspection, only one proxy can be configured at a time. To add the server, go to the Network > Appliances > appliancename page.
-
A single managed Network Security virtual appliance. Although you can configure multiple appliances for TLS inspection, only one appliance can be configured at a time. The appliance must have a minimum version of 2021.8.0.11159. Appliances that belong to scaling groups or scale sets are not currently supported. When you create the AWS CloudHSM, the HSM creates its own security group that includes inbound rules tied to a specific port range. This security group must be added to your virtual appliance so that it can pull the keys from the HSM over one of the ports in the port range. Locate and select your instance on AWS, click Actions > Security > Change security groups, add your HSM cluster as an associated security group, and click Save.
-
Either a single server with a protected static IP address, or, for servers running behind a load balancer, a subnet (CIDR). To get the server's IP, go into AWS where the server is located, click EC2, click Instances (running), and copy the IP address specified under Private IPv4 addresses (this is the IP address accessible to AWS only). For example,
192.0.2.0or, if you use a CIDR,198.51.100.0/24. A subnet can range from 8 to 32.
NOTE
Network Security does not currently support AWS Gateway Load Balancer (GWLB) for TLS inspection.
-
Server’s public certificate. You can enable access through either your ACM or by placing it in an Amazon S3 bucket.
-
Private key. You can use either AWS CloudHSM or manually upload your own private key. If you use AWS CloudHSM, be sure to first create the IAM role and secret in AWS so that the Network Security service can access the private key.