Last updated on June 23, 2023
AWS CloudHSM Cheat Sheet
-
A computing device that enables you to provision and manage your own single-tenant HSMs for the generation and use of encryption keys.
-
A hardware security module (HSM) performs cryptographic operations and provides secure storage for cryptographic keys.
-
You can perform the following cryptographic tasks:
-
Generate, store, import, export, and manage cryptographic keys.
-
Use symmetric and asymmetric algorithms to encrypt and decrypt your data.
-
Compute message digests and hash-based message authentication codes using cryptographic hash functions.
-
Cryptographically sign data and verify signatures.
-
You can generate cryptographically secure random data.
-
Use Case
-
Offload SSL/TLS processing for web servers.
-
Protect private keys for an issuing certificate authority (CA).
-
Enable transparent data encryption (TDE) for Oracle databases.
Concepts
-
Clusters
-
A collection of individual HSMs.
-
Other HSMs are automatically kept up to date, when you perform a task on one HSM in a cluster.
-
You can create a cluster that has 1 to 28 HSM and place the HSMs in different AZs in a region.
-
Cluster provides higher performance as you add more HSMs.
-
When you add a new HSM to a cluster:
-
AWS CloudHSM backup all the keys, users, and policies on an existing HSM.
-
Restores the backup onto the new HSM to keep HSMs in sync.
-
-
Supports cluster load balancing.
-
-
Backups
-
You can do periodic backups of users, keys, and policies in your cluster.
-
Backups are stored in an S3 bucket in the same region as your cluster.
-
Default backup retention policy for a cluster is 90 days.
-
You can only restore backups onto AWS-owned HSMs made by the same manufacturer.
-
Supports copying of backups across AWS regions.
-
The HSM encrypts all data using ephemeral backup key (EBK) before sending it to CloudHSM.
-
To encrypt the EBK, the HSM will use a persistent backup key (PBK).
-
Generate a PBK with a key derivation function (KDF). The inputs to the KDF include the following:
-
Manufacturer key backup key (MKBK)
-
AWS key backup key (AKBK)
-
-
-
HSM users
-
HSM users are distinct from IAM users.
-
To create and manage users on HSM, you need a CloudHSM Management Utility (CMU).
-
An HSM user has a type that defines which operations they can perform on HSM.
-
Precrypto officer (PRECO) – temporary user on the first HSM in a cluster.
-
Crypto officer (CO | PCO) – performs user management operations and supports 2FA.
-
Crypto user (CU) – performs key management and cryptographic operations.
-
Appliance user (AU) – performs cloning and synchronization operations.
-
-
Supports quorum authentication.
-
-
Keys
-
Only a CU can create a key in CloudHSM.
-
You can use the following to manage keys on HSM:
-
PKCS #11 library
-
JCE provider
-
CNG and KSP providers
-
key_mgmt_util
-
-
Use syncKey command in CMU to synchronize keys between clusters.
-
-
CLI tools
-
CloudHSM Management Utility (CMU)
-
The cloudhsm_mgmt_util helps COs manage users in HSMs.
-
It also has a command that allows CUs to share keys, get and set key attributes.
-
-
Key Management Utility (KMU)
-
A key_mgmt_util allows CUs to manage keys on HSMs.
-
-
-
Supports tagging of CloudHSM resources.
AWS CloudHSM Monitoring
-
To monitor diagnostic and troubleshooting information from applications you create, use Client SDK logging.
-
If you want to monitor API calls like the creation & deletion of clusters, HSM, and resource tags, use AWS CloudTrail.
-
With Amazon CloudWatch, you can monitor the following:
-
Health of cluster
-
Logs from HSM instances
-
AWS CloudHSM Pricing
-
You are charged per hour for each HSM you launch.
AWS CloudHSM Cheat Sheet References:
https://aws.amazon.com/cloudhsm/
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html