AWS CloudHSM

• A computing device that enables you to provision and manage your own single-tenant HSMs for the generation and use of encryption keys.

• A hardware security module (HSM) performs cryptographic operations and provides secure storage for cryptographic keys.

• You can perform the following cryptographic tasks:

  • Generate, store, import, export, and manage cryptographic keys.

  • Use symmetric and asymmetric algorithms to encrypt and decrypt your data.

  • Compute message digests and hash-based message authentication codes using cryptographic hash functions.

  • Cryptographically sign data and verify signatures.

  • You can generate cryptographically secure random data.

Use Case

• Offload SSL/TLS processing for web servers.

• Protect private keys for an issuing certificate authority (CA).

• Enable transparent data encryption (TDE) for Oracle databases.

Concepts

• Clusters

  • A collection of individual HSMs.

  • Other HSMs are automatically kept up to date, when you perform a task on one HSM in a cluster.

  • You can create a cluster that has 1 to 28 HSM and place the HSMs in different AZs in a region.

  • Cluster provides higher performance as you add more HSMs.

  • When you add a new HSM to a cluster:

    • AWS CloudHSM backup all the keys, users, and policies on an existing HSM.

    • Restores the backup onto the new HSM to keep HSMs in sync.

  • Supports cluster load balancing.

• Backups

  • You can do periodic backups of users, keys, and policies in your cluster.

  • Backups are stored in an S3 bucket in the same region as your cluster.

  • Default backup retention policy for a cluster is 90 days.

  • You can only restore backups onto AWS-owned HSMs made by the same manufacturer.

  • Supports copying of backups across AWS regions.

  • The HSM encrypts all data using ephemeral backup key (EBK) before sending it to CloudHSM.

  • To encrypt the EBK, the HSM will use a persistent backup key (PBK).

  • Generate a PBK with a key derivation function (KDF). The inputs to the KDF include the following:

    • Manufacturer key backup key (MKBK)

    • AWS key backup key (AKBK)

• HSM users

  • HSM users are distinct from IAM users.

  • To create and manage users on HSM, you need a CloudHSM Management Utility (CMU).

  • An HSM user has a type that defines which operations they can perform on HSM.

    • Precrypto officer (PRECO) – temporary user on the first HSM in a cluster.

    • Crypto officer (CO | PCO) – performs user management operations and supports 2FA.

    • Crypto user (CU) – performs key management and cryptographic operations.

    • Appliance user (AU) – performs cloning and synchronization operations.

  • Supports quorum authentication.

• Keys

  • Only a CU can create a key in CloudHSM.

  • You can use the following to manage keys on HSM:

    • PKCS #11 library

    • JCE provider

    • CNG and KSP providers

    • key_mgmt_util

  • Use syncKey command in CMU to synchronize keys between clusters.

• CLI tools

  • CloudHSM Management Utility (CMU)

    • The cloudhsm_mgmt_util helps COs manage users in HSMs.

    • It also has a command that allows CUs to share keys, get and set key attributes.

  • Key Management Utility (KMU)

    • A key_mgmt_util allows CUs to manage keys on HSMs.

• Supports tagging of CloudHSM resources.

Monitoring

• To monitor diagnostic and troubleshooting information from applications you create, use Client SDK logging.

• If you want to monitor API calls like creation & deletion of clusters, HSM, and resource tags, use AWS CloudTrail.

• With Amazon CloudWatch, you can monitor the following:

  • Health of cluster

  • Logs from HSM instances

Pricing

• You are charged per hour for each HSM you launch.

References:
https://aws.amazon.com/cloudhsm/
https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html