gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-13 05:16:32 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

Browse Source
This commit is contained in:
Translator
2024-12-31 20:26:13 +00:00
parent 44da2ea78f
commit 6f74ac1a76
245 changed files with 9102 additions and 11816 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
src/pentesting-cloud/aws-security/aws-services/aws-cloudhsm-enum.md
View File

@@ -4,68 +4,62 @@
## HSM - Hardware Security Module
Cloud HSM is a FIPS 140 level two validated **hardware device** for secure cryptographic key storage (note that CloudHSM is a hardware appliance, it is not a virtualized service). It is a SafeNetLuna 7000 appliance with 5.3.13 preloaded. There are two firmware versions and which one you pick is really based on your exact needs. One is for FIPS 140-2 compliance and there was a newer version that can be used.
Cloud HSM ni kifaa cha **hardware** kilichothibitishwa kwa kiwango cha FIPS 140 level two kwa ajili ya uhifadhi salama wa funguo za cryptographic (kumbuka kwamba CloudHSM ni kifaa cha hardware, si huduma iliyovirtualized). Ni kifaa cha SafeNetLuna 7000 chenye toleo la 5.3.13 lililopakiwa awali. Kuna toleo mbili za firmware na unachagua ipi kulingana na mahitaji yako halisi. Moja ni kwa ajili ya kufuata FIPS 140-2 na kulikuwa na toleo jipya ambalo linaweza kutumika.
The unusual feature of CloudHSM is that it is a physical device, and thus it is **not shared with other customers**, or as it is commonly termed, multi-tenant. It is dedicated single tenant appliance exclusively made available to your workloads
Sifa isiyo ya kawaida ya CloudHSM ni kwamba ni kifaa halisi, na hivyo **hakishirikiwa na wateja wengine**, au kama inavyotajwa mara nyingi, multi-tenant. Ni kifaa cha mpangilio wa pekee kilichotolewa kwa kazi zako pekee.
Typically, a device is available within 15 minutes assuming there is capacity, but in some zones there could not be.
Kwa kawaida, kifaa kinapatikana ndani ya dakika 15 ikiwa kuna uwezo, lakini katika maeneo mengine huenda kukawa hakuna.
Since this is a physical device dedicated to you, **the keys are stored on the device**. Keys need to either be **replicated to another device**, backed up to offline storage, or exported to a standby appliance. **This device is not backed** by S3 or any other service at AWS like KMS.
Kwa kuwa hiki ni kifaa halisi kilichotolewa kwako, **funguo zinahifadhiwa kwenye kifaa**. Funguo zinahitaji **kuigwa kwenye kifaa kingine**, kuhifadhiwa kwenye hifadhi ya nje, au kusafirishwa kwa kifaa cha akiba. **Kifaa hiki hakina msaada** kutoka S3 au huduma nyingine yoyote katika AWS kama KMS.
In **CloudHSM**, you have to **scale the service yourself**. You have to provision enough CloudHSM devices to handle whatever your encryption needs are based on the encryption algorithms you have chosen to implement for your solution.\
Key Management Service scaling is performed by AWS and automatically scales on demand, so as your use grows, so might the number of CloudHSM appliances that are required. Keep this in mind as you scale your solution and if your solution has auto-scaling, make sure your maximum scale is accounted for with enough CloudHSM appliances to service the solution.
Katika **CloudHSM**, unapaswa **kupanua huduma mwenyewe**. Unapaswa kuandaa vifaa vya CloudHSM vya kutosha kushughulikia mahitaji yako ya usimbuaji kulingana na algorithimu za usimbuaji ulizochagua kutekeleza kwa suluhisho lako.\
Upanuzi wa Huduma ya Usimamizi wa Funguo unafanywa na AWS na unapanuka kiotomatiki kwa mahitaji, hivyo kadri matumizi yako yanavyokua, ndivyo idadi ya vifaa vya CloudHSM vinavyohitajika inaweza kuongezeka. Kumbuka hili unavyopanua suluhisho lako na ikiwa suluhisho lako lina auto-scaling, hakikisha kiwango chako cha juu kimezingatiwa na vifaa vya kutosha vya CloudHSM kuhudumia suluhisho hilo.
Just like scaling, **performance is up to you with CloudHSM**. Performance varies based on which encryption algorithm is used and on how often you need to access or retrieve the keys to encrypt the data. Key management service performance is handled by Amazon and automatically scales as demand requires it. CloudHSM's performance is achieved by adding more appliances and if you need more performance you either add devices or alter the encryption method to the algorithm that is faster.
Kama vile upanuzi, **utendaji ni juu yako na CloudHSM**. Utendaji unategemea ni algorithimu gani ya usimbuaji inatumika na ni mara ngapi unahitaji kufikia au kupata funguo za kusimbua data. Utendaji wa huduma ya usimamizi wa funguo unashughulikiwa na Amazon na unapanuka kiotomatiki kadri mahitaji yanavyohitajika. Utendaji wa CloudHSM unapatikana kwa kuongeza vifaa zaidi na ikiwa unahitaji utendaji zaidi unapaswa kuongeza vifaa au kubadilisha njia ya usimbuaji kwa algorithimu inayokuwa haraka.
If your solution is **multi-region**, you should add several **CloudHSM appliances in the second region and work out the cross-region connectivity with a private VPN connection** or some method to ensure the traffic is always protected between the appliance at every layer of the connection. If you have a multi-region solution you need to think about how to **replicate keys and set up additional CloudHSM devices in the regions where you operate**. You can very quickly get into a scenario where you have six or eight devices spread across multiple regions, enabling full redundancy of your encryption keys.
Ikiwa suluhisho lako ni **multi-region**, unapaswa kuongeza vifaa kadhaa **CloudHSM katika eneo la pili na kutatua muunganisho wa mikoa kwa njia ya VPN ya kibinafsi** au njia nyingine yoyote kuhakikisha kuwa trafiki inakuwa salama kila wakati kati ya kifaa katika kila safu ya muunganisho. Ikiwa una suluhisho la multi-region unahitaji kufikiria jinsi ya **kuiga funguo na kuanzisha vifaa vya ziada vya CloudHSM katika mikoa unayofanya kazi**. Unaweza kuingia haraka katika hali ambapo una vifaa sita au nane vilivyotawanyika katika mikoa mbalimbali, ikiruhusu redundancy kamili ya funguo zako za usimbuaji.
**CloudHSM** is an enterprise class service for secured key storage and can be used as a **root of trust for an enterprise**. It can store private keys in PKI and certificate authority keys in X509 implementations. In addition to symmetric keys used in symmetric algorithms such as AES, **KMS stores and physically protects symmetric keys only (cannot act as a certificate authority)**, so if you need to store PKI and CA keys a CloudHSM or two or three could be your solution.
**CloudHSM** ni huduma ya daraja la biashara kwa ajili ya uhifadhi salama wa funguo na inaweza kutumika kama **mizizi ya kuaminika kwa biashara**. Inaweza kuhifadhi funguo za kibinafsi katika PKI na funguo za mamlaka ya cheti katika utekelezaji wa X509. Mbali na funguo za simetriki zinazotumika katika algorithimu za simetriki kama AES, **KMS inahifadhi na kulinda kimwili funguo za simetriki pekee (haiwezi kutenda kama mamlaka ya cheti)**, hivyo ikiwa unahitaji kuhifadhi funguo za PKI na CA, CloudHSM moja au mbili au tatu zinaweza kuwa suluhisho lako.
**CloudHSM is considerably more expensive than Key Management Service**. CloudHSM is a hardware appliance so you have fix costs to provision the CloudHSM device, then an hourly cost to run the appliance. The cost is multiplied by as many CloudHSM appliances that are required to achieve your specific requirements.\
Additionally, cross consideration must be made in the purchase of third party software such as SafeNet ProtectV software suites and integration time and effort. Key Management Service is a usage based and depends on the number of keys you have and the input and output operations. As key management provides seamless integration with many AWS services, integration costs should be significantly lower. Costs should be considered secondary factor in encryption solutions. Encryption is typically used for security and compliance.
**CloudHSM ni ghali zaidi kuliko Huduma ya Usimamizi wa Funguo**. CloudHSM ni kifaa cha hardware hivyo una gharama za kudumu za kuandaa kifaa cha CloudHSM, kisha gharama ya saa ya kuendesha kifaa. Gharama inazidishwa na idadi ya vifaa vya CloudHSM vinavyohitajika ili kufikia mahitaji yako maalum.\
Zaidi ya hayo, makadirio ya ziada yanapaswa kufanywa katika ununuzi wa programu za wahusika wengine kama vile SafeNet ProtectV suites za programu na muda na juhudi za uunganisho. Huduma ya Usimamizi wa Funguo inategemea matumizi na inategemea idadi ya funguo ulizonazo na operesheni za ingizo na utoaji. Kadri usimamizi wa funguo unavyotoa uunganisho usio na mshono na huduma nyingi za AWS, gharama za uunganisho zinapaswa kuwa chini sana. Gharama zinapaswa kuzingatiwa kama kipengele cha pili katika suluhisho za usimbuaji. Usimbuaji kwa kawaida hutumika kwa ajili ya usalama na kufuata sheria.
**With CloudHSM only you have access to the keys** and without going into too much detail, with CloudHSM you manage your own keys. **With KMS, you and Amazon co-manage your keys**. AWS does have many policy safeguards against abuse and **still cannot access your keys in either solution**. The main distinction is compliance as it pertains to key ownership and management, and with CloudHSM, this is a hardware appliance that you manage and maintain with exclusive access to you and only you.
**Na CloudHSM pekee wewe una ufikiaji wa funguo** na bila kuingia katika maelezo mengi, na CloudHSM unasimamia funguo zako mwenyewe. **Na KMS, wewe na Amazon mnasimamia funguo zenu pamoja**. AWS ina sera nyingi za kulinda dhidi ya matumizi mabaya na **bado haiwezi kufikia funguo zako katika suluhisho zote mbili**. Tofauti kuu ni kufuata sheria linapokuja suala la umiliki na usimamizi wa funguo, na kwa CloudHSM, hiki ni kifaa cha hardware ambacho unakisadia na kudumisha kwa ufikiaji wa kipekee kwako na wewe pekee.
### CloudHSM Suggestions
1. Always deploy CloudHSM in an **HA setup** with at least two appliances in **separate availability zones**, and if possible, deploy a third either on premise or in another region at AWS.
2. Be careful when **initializing** a **CloudHSM**. This action **will destroy the keys**, so either have another copy of the keys or be absolutely sure you do not and never, ever will need these keys to decrypt any data.
3. CloudHSM only **supports certain versions of firmware** and software. Before performing any update, make sure the firmware and or software is supported by AWS. You can always contact AWS support to verify if the upgrade guide is unclear.
4. The **network configuration should never be changed.** Remember, it's in a AWS data center and AWS is monitoring base hardware for you. This means that if the hardware fails, they will replace it for you, but only if they know it failed.
5. The **SysLog forward should not be removed or changed**. You can always **add** a SysLog forwarder to direct the logs to your own collection tool.
6. The **SNMP** configuration has the same basic restrictions as the network and SysLog folder. This **should not be changed or removed**. An **additional** SNMP configuration is fine, just make sure you do not change the one that is already on the appliance.
7. Another interesting best practice from AWS is **not to change the NTP configuration**. It is not clear what would happen if you did, so keep in mind that if you don't use the same NTP configuration for the rest of your solution then you could have two time sources. Just be aware of this and know that the CloudHSM has to stay with the existing NTP source.
1. Daima weka CloudHSM katika **mpangilio wa HA** na vifaa viwili angalau katika **mikoa tofauti ya upatikanaji**, na ikiwa inawezekana, weka kifaa cha tatu ama kwenye eneo lako au katika eneo lingine la AWS.
2. Kuwa makini unapofanya **kuanzisha** **CloudHSM**. Kitendo hiki **kitaharibu funguo**, hivyo kuwa na nakala nyingine ya funguo au kuwa na uhakika kabisa kwamba huna na kamwe, kamwe hutahitaji funguo hizi kusimbua data yoyote.
3. CloudHSM inasaidia tu **matoleo fulani ya firmware** na programu. Kabla ya kufanya sasisho lolote, hakikisha firmware na au programu inasaidiwa na AWS. Unaweza daima kuwasiliana na msaada wa AWS kuthibitisha ikiwa mwongozo wa sasisho haujakuwa wazi.
4. **Mipangilio ya mtandao haipaswi kubadilishwa.** Kumbuka, iko katika kituo cha data cha AWS na AWS inafuatilia vifaa vya msingi kwa ajili yako. Hii inamaanisha kwamba ikiwa vifaa vitashindwa, watakubadilishia, lakini tu ikiwa wanajua kimefeli.
5. **SysLog forward haipaswi kuondolewa au kubadilishwa**. Unaweza daima **kuongeza** SysLog forwarder ili kuelekeza kumbukumbu kwa zana yako ya ukusanyaji.
6. Mipangilio ya **SNMP** ina vizuizi sawa vya msingi kama mtandao na folda ya SysLog. Hii **haipaswi kubadilishwa au kuondolewa**. Mipangilio ya **ziada** ya SNMP ni sawa, hakikisha tu hujabadilisha ile ambayo tayari ipo kwenye kifaa.
7. Tofauti na mazoea mengine mazuri kutoka AWS ni **kutobadilisha mipangilio ya NTP**. Haijulikani nini kitafanyika ikiwa utafanya hivyo, hivyo kumbuka kwamba ikiwa hutatumia mipangilio sawa ya NTP kwa suluhisho lako lote basi unaweza kuwa na vyanzo viwili vya wakati. Kuwa makini na hili na ujue kwamba CloudHSM inapaswa kubaki na chanzo cha NTP kilichopo.
The initial launch charge for CloudHSM is $5,000 to allocate the hardware appliance dedicated for your use, then there is an hourly charge associated with running CloudHSM that is currently at $1.88 per hour of operation, or approximately $1,373 per month.
Ada ya uzinduzi wa awali kwa CloudHSM ni $5,000 kuandaa kifaa cha hardware kilichotolewa kwa matumizi yako, kisha kuna ada ya saa inayohusiana na kuendesha CloudHSM ambayo kwa sasa ni $1.88 kwa saa ya operesheni, au takriban $1,373 kwa mwezi.
The most common reason to use CloudHSM is compliance standards that you must meet for regulatory reasons. **KMS does not offer data support for asymmetric keys. CloudHSM does let you store asymmetric keys securely**.
Sababu ya kawaida ya kutumia CloudHSM ni viwango vya kufuata sheria ambavyo unapaswa kukutana navyo kwa sababu za udhibiti. **KMS haitoi msaada wa data kwa funguo zisizo za simetriki. CloudHSM inakuruhusu kuhifadhi funguo zisizo za simetriki kwa usalama**.
The **public key is installed on the HSM appliance during provisioning** so you can access the CloudHSM instance via SSH.
**Funguo ya umma imewekwa kwenye kifaa cha HSM wakati wa kuandaa** ili uweze kufikia mfano wa CloudHSM kupitia SSH.
### What is a Hardware Security Module
A hardware security module (HSM) is a dedicated cryptographic device that is used to generate, store, and manage cryptographic keys and protect sensitive data. It is designed to provide a high level of security by physically and electronically isolating the cryptographic functions from the rest of the system.
Moduli ya usalama wa hardware (HSM) ni kifaa maalum cha cryptographic kinachotumika kuzalisha, kuhifadhi, na kusimamia funguo za cryptographic na kulinda data nyeti. Imepangwa kutoa kiwango cha juu cha usalama kwa kutenga kimwili na kielektroniki kazi za cryptographic kutoka kwa mfumo mzima.
The way an HSM works can vary depending on the specific model and manufacturer, but generally, the following steps occur:
Njia ambayo HSM inafanya kazi inaweza kutofautiana kulingana na mfano maalum na mtengenezaji, lakini kwa ujumla, hatua zifuatazo hufanyika:
1. **Key generation**: The HSM generates a random cryptographic key using a secure random number generator.
2. **Key storage**: The key is **stored securely within the HSM, where it can only be accessed by authorized users or processes**.
3. **Key management**: The HSM provides a range of key management functions, including key rotation, backup, and revocation.
4. **Cryptographic operations**: The HSM performs a range of cryptographic operations, including encryption, decryption, digital signature, and key exchange. These operations are **performed within the secure environment of the HSM**, which protects against unauthorized access and tampering.
5. **Audit logging**: The HSM logs all cryptographic operations and access attempts, which can be used for compliance and security auditing purposes.
1. **Uzalishaji wa funguo**: HSM inazalisha funguo za cryptographic za nasibu kwa kutumia jenereta ya nambari salama ya nasibu.
2. **Hifadhi ya funguo**: Funguo **zinahifadhiwa kwa usalama ndani ya HSM, ambapo zinaweza kufikiwa tu na watumiaji au michakato walioidhinishwa**.
3. **Usimamizi wa funguo**: HSM inatoa anuwai ya kazi za usimamizi wa funguo, ikiwa ni pamoja na mzunguko wa funguo, akiba, na kufutwa.
4. **Operesheni za cryptographic**: HSM inafanya anuwai ya operesheni za cryptographic, ikiwa ni pamoja na usimbuaji, usimbuaji wa data, saini ya dijitali, na kubadilishana funguo. Operesheni hizi **zinafanywa ndani ya mazingira salama ya HSM**, ambayo inalinda dhidi ya ufikiaji usioidhinishwa na uharibifu.
5. **Kumbukumbu za ukaguzi**: HSM inarekodi operesheni zote za cryptographic na majaribio ya ufikiaji, ambayo yanaweza kutumika kwa ajili ya kufuata sheria na ukaguzi wa usalama.
HSMs can be used for a wide range of applications, including secure online transactions, digital certificates, secure communications, and data encryption. They are often used in industries that require a high level of security, such as finance, healthcare, and government.
HSM zinaweza kutumika kwa anuwai ya matumizi, ikiwa ni pamoja na miamala salama ya mtandaoni, vyeti vya dijitali, mawasiliano salama, na usimbuaji wa data. Mara nyingi hutumiwa katika sekta zinazohitaji kiwango cha juu cha usalama, kama vile fedha, huduma za afya, na serikali.
Overall, the high level of security provided by HSMs makes it **very difficult to extract raw keys from them, and attempting to do so is often considered a breach of security**. However, there may be **certain scenarios** where a **raw key could be extracted** by authorized personnel for specific purposes, such as in the case of a key recovery procedure.
Kwa ujumla, kiwango cha juu cha usalama kinachotolewa na HSM kinaufanya **kuwa vigumu sana kutoa funguo za asili kutoka kwao, na kujaribu kufanya hivyo mara nyingi kunachukuliwa kama uvunjaji wa usalama**. Hata hivyo, kunaweza kuwa na **hali fulani** ambapo **funguo za asili zinaweza kutolewa** na wafanyakazi walioidhinishwa kwa madhumuni maalum, kama katika kesi ya utaratibu wa urejeleaji wa funguo.
### Enumeration
```
TODO
```
{{#include ../../../banners/hacktricks-training.md}}