AWS CloudHSM Cheat Sheet

A cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. It allows you to provision and manage single-tenant, FIPS 140-2 Level 3 validated HSM instances in your own VPC.

• Single-Tenant Access: You have dedicated access to the HSM hardware; it is not shared with other customers.
• Control: You manage the HSMs, users, and keys. AWS manages the hardware provisioning, backups, and network connectivity.
• FIPS Compliance: Validated to FIPS 140-2 Level 3 (AWS KMS is generally Level 2, with some Level 3 distinct endpoints).
• Industry Standard APIs: Supports PKCS #11, Java Cryptography Extensions (JCE), and Microsoft CNG/KSP.

Features/Updates

• AWS CloudHSM Client Releases: Versions 5.16.2, 5.16.1, 5.16.0.
• New HSM Types & Cluster Modes: Support for hsm2m.medium in FIPS and non-FIPS clusters.
• Backups & Restoration: Automated, encrypted backups with 90-day retention; clusters can be restored or cloned to another region.
• User & Key Management Enhancements: Quorum authentication (M of N), session keys (ephemeral), token keys (persistent, synchronized).
• CLI Tool Update: Modern cloudhsm-cli (Client SDK 5) supports both user and key management.
• Monitoring & Metrics: CloudWatch metrics (HsmUnhealthy, HsmTemperature, HsmUsersAvailable) and CloudTrail logging of API calls and HSM activity.

Use Case

• Offload SSL/TLS Processing: Perform SSL termination for web servers (e.g., NGINX, Apache) securely within the HSM.
• Certificate Authority (CA): Protect the private keys of an issuing CA (Public Key Infrastructure).
• TDE (Transparent Data Encryption): Store encryption keys for Oracle Database TDE or SQL Server TDE.

• Digital Rights Management (DRM): Protect copyright and license keys.

Concepts

Clusters

• A collection of individual HSMs that are automatically synchronized.

• High Availability: You can create a cluster with 1 to 28 HSMs. For high availability, HSMs must be placed in different Availability Zones (AZs).

• Load Balancing: Requests are automatically load-balanced across all HSMs in the cluster.

• Instance Types: The legacy hsm1.medium is being deprecated. New clusters use hsm2m.medium.

HSM Users

CloudHSM uses its own internal user management, distinct from AWS IAM.

• Precrypto Officer (PRECO): Temporary user on a newly provisioned HSM, used solely to create the first Crypto Officer.

• Crypto Officer (CO): Performs user management (creating/deleting users). Can change passwords but cannot perform cryptographic operations or use keys.

• Crypto User (CU): Performs cryptographic operations (encrypt, decrypt, sign) and manages keys. This is the user your application uses.

• Appliance User (AU): System user used by AWS for synchronization and cloning. Cannot log in as AU.

Quorum Authentication (M of N)

• Supports multi-factor authentication (MFA) logic where M number of approvers out of N total users must authorize sensitive administrative actions (e.g., deleting a cluster).

Keys

• Session Keys: Ephemeral keys existing only in memory while the application is connected. Faster but lost upon disconnection.

• Token Keys: Persistent keys stored on the HSM’s hardware, automatically synchronized to all HSMs in the cluster.

CLI Tools

• Modern Tool (Client SDK 5): cloudhsm-cli creates a shell-like interactive environment to manage both users (CO tasks) and keys (CU tasks).

• Legacy Tools (Client SDK 3):

  • CloudHSM Management Utility (CMU): Used by Crypto Officers to manage users.

  • Key Management Utility (KMU): Used by Crypto Users to manage keys.

AWS CloudHSM Monitoring

• AWS CloudTrail: Logs API calls (e.g., CreateCluster, DeleteHsm, InitializeCluster).

• Amazon CloudWatch Logs: Captures HSM Audit Logs (user logins, key events, crypto operations if enabled).

• Client SDK Logging: Diagnostic logs from the client software on EC2 instances.

• Key CloudWatch Metrics:

  • HsmUnhealthy – HSM instance failure.

  • HsmTemperature – Hardware temperature.

  • HsmUsersAvailable – Tracks available user slots (max 1024).

AWS CloudHSM Pricing

• Hourly Fee: Charged per HSM. High availability doubles the hourly rate.

• No Upfront Cost: Pay for the full hour if instance runs part of it.

• Backups: No charge (stored in S3 bucket owned by AWS).

AWS CloudHSM Cheat Sheet References:

https://aws.amazon.com/cloudhsm/
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html