Technical Service Center

• AWS Amazon Linux 2 - c5.xlarge (최소요구 규격)
• Service k8s - Master 1, Worker 2
• AWS route53
• AWS ACM 인증서 발급
• Tool : aws cli command

• Step 1: Create the AWS Certificate Manager certificate
• Step 2: Launch the enclaves-enabled parent instance
• Step 3: Prepare the IAM role
• Step 4: Associate the role with the ACM certificate
• Step 5: Grant the role permission to access the certificate and encryption key
• Step 6: Attach the role to the instance
• Step 7: Configure NGINX to use ACM for Nitro Enclaves
• Using multiple certificates

• Step3

  • json 파일을 생성하여 aws cli를 이용하여 iam role 생성
    

• Step 5

  • IAM Role에 KMS 값이 있어야 인증서를 정상적으로 가져옴

• {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:GetObject"
              ],
              "Resource": [
                  "arn:aws:s3:::aws-ec2-enclave-certificate-ap-northeast-2-prod/*"
              ]
          },
          {
              "Sid": "VisualEditor0",
              "Effect": "Allow",
              "Action": [
                  "kms:Decrypt"
              ],
              "Resource": [
                  "arn:aws:kms:ap-northeast-2:*:key/ResourceName",
                  "arn:aws:kms:ap-northeast-2:*:key/ResourceName2",
                  "arn:aws:kms:ap-northeast-2:*:key/ResourceName3"
              ]
          },
          {
              "Effect": "Allow",
              "Action": "iam:GetRole",
              "Resource": "arn:aws:iam::ACCOUNTID:role/acm-role"
          }
      ]
  }
  

인증서 갱신에 따른 동작

• nitro 엔진은 기본 10분 주기로 ACM과 통신하여 인증서의 변경 사항이 있을 경우 자동으로 업데이트 되며, 업데이트 시 nginx worker process reload가 일어남
• 실제 접속 시도하게 되면 변경 된 인증서로 자동 서비스

# journalctl -u nitro-enclaves-acm.service -f
4월 11 16:29:10 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token nginx-acm-token
4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token vpn-openbase-cert
4월 11 16:29:12 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | NGINX certificate changed. Updating token vpn-openbase-cert.  <<-- 변경에 대한 자동 업데이트
4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Syncing token cco-cert
4월 11 16:29:13 ip-10-10-10-10.ap-northeast-2.compute.internal p11ne-agent[12955]: |INFO  | Reloading NGINX config

• 인증서가 변경 된 이후에 nitro 엔진을 재기동 하게 되면 인증서 conf 파일이 갱신 됨 (nitro 엔진 구동 중 인증서 갱신에 대해서는 파일 내용이 변경 되지 않음)
• pin-value 값 확인

[ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf
ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략:;
ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem";

[ec2-user@ip-10-10-10-10 nginx]$ sudo cat vpn-openbase-cert.conf
ssl_certificate_key "engine:pkcs11:pkcs11:model=p11ne-token;manufacturer=Amazon;token=vpn-openbase-cert;생략";
ssl_certificate "/run/nitro_enclaves/acm/nginx-cert-NAME.pem";

• nignx 서비스 상태 - master worker pid 가 모두 변경 됨

Main PID: 15015 (nginx)
  CGroup: /system.slice/nginx.service
          ├─15015 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
          ├─15026 nginx: worker process
          └─15027 nginx: worker process

Main PID: 15331 (nginx)
  CGroup: /system.slice/nginx.service
          ├─15331 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
          ├─15343 nginx: worker process
          └─15344 nginx: worker process

• nitro 및 nginx 프로세스 상태 확인

journalctl -u nitro-enclaves-acm.service
journalctl -u nginx.service

• nitro 엔진 재기동 및 업데이트

sudo systemctl restart nitro-enclaves-acm.service
sudo yum update aws-nitro-enclaves-acm

• nitro multi certification sample


tokens:
    # A label for this PKCS#11 token
  - label: nginx-acm-token
    # Configure a managed token, sourced from an ACM certificate.
    source:
      Acm:
        # The certificate ARN
        # Note: this certificate must have been associated with the
        #      IAM role assigned to the instance on which ACM for
        #      Nitro Enclaves is run.
        certificate_arn: "arn:aws:acm:us-east-1:123456789:certificate/d4c3b2a1-xxxx-xxxx-xxx-EXAMPLE"
    target:
      NginxStanza:
        # Path to the nginx stanza to be written by the ACM service whenever
        # the certificate configuration changes (e.g. after a certificate renewal).
        # This file must be included from the main nginx config `server` section,
        # as it will contain the TLS nginx configuration directives.
        path: /etc/pki/nginx/nginx-acm.conf
        # Stanza file owner (i.e. the user nginx is configured to run as).
        user: nginx
    # PKCS#11 token 2  
  - label: token_2_name
    source:
      Acm:
        certificate_arn: "certificate_2_ARN"
    target:
      NginxStanza:
        path: /etc/pki/nginx/nginx-acm-2.conf
        user: nginx
    # PKCS#11 token 3
  - label: token_3_name
    source:
      Acm:
        certificate_arn: "certificate_3_ARN"
    target:
      NginxStanza:
        path: /etc/pki/nginx/nginx-acm-3.conf
        user: nginx