Amazon Hardware Security Module (HSM) is a cloud service that uses dedicated HSM appliances within the AWS Cloud to help you design and deploy stringent data security solutions which meet regulatory and compliance requirements. Amazon CloudHSM is an important topic to learn for the AWS Certified Solutions Architect – Associate Exam and AWS Certified Security Specialty Exam.
The hardware appliance is designed to provide a secure key storage and cryptographic solution which involves utilizing tamper-proof hardware modules and enables you to use the key material without exposing it to anyone else. You are in complete control of access to the cryptographic keys that can then be used to encrypt and decrypt data. Amazon manages and maintains the hardware but does not have access to your keys.
AWS offers a fully managed CloudHSM service ensuring that the hardware devices are regularly patched, firmware updated and configured with backups. Scheduled backups extract an encrypted image of your HSM from the hardware (using keys that only the HSM hardware itself knows) and these can then be restored only to identical HSM hardware owned by AWS. For durability, those backups are stored in Amazon Simple Storage Service (S3), and for an additional layer of security, encrypted again with server-side S3 encryption using an AWS KMS master key.
There is also support for FIPS 140-2 Level 3, and it is designed to detect and respond to physical attempts to access or modify the HSM. Access to your CloudHSM is also improved with quorum authentication for critical administrative and key management functions. You define a list of N possible identities that can access the functions, and then require at least M of them to authorize the action. There is support for multi-factor authentication using tokens that you provide.
Note: AWS CloudHSM supports processing, storage and transmission of credit card information and is Payment Card Industry (PCI) Data Security Standard (DSS) Compliant.
CloudHSM vs. AWS Key Management Service (KMS)
AWS Key Management Service (KMS) is a multi-tenant, managed service that allows you to use and manage encryption keys. However, AWS CloudHSM provides a dedicated, FIPS 140-2 Level 3 HSM under your exclusive control, directly in your Amazon Virtual Private Cloud (VPC).
Designed for VPC
AWS CloudHSM can be configured to work in an Amazon Virtual Private Cloud (Amazon VPC). CloudHSM appliances are provisioned inside your VPC where you specify its IP address and this enables you to configure network connectivity between your CloudHSM Appliance and your EC2 instances. Placing HSM appliances near your EC2 instances decreases network latency, and this will improve application performance. Your HSM appliances are dedicated exclusively to you and are isolated from other AWS customers.
Your CloudHSM service is deployed as a cluster. Clusters can contain up to 32 individual HSM instances spread across multiple Availability Zones, which are automatically synchronized and load-balanced. You receive dedicated, single-tenant access to each HSM instance in the cluster. Each HSM appears as a network resource in your Virtual Private Cloud (VPC)
Important Notes –
- You cannot configure CloudHSM without a VPC.
- The server on which your application and the HSM client is running must have network connectivity to the HSM. Ideally, you can configure your application to be in the same VPC, use VPC peering, a VPN connection, or Direct Connect.
- You can connect CloudHSM instances in your VPC to your datacentre using the VPN capability built into VPC or with AWS Direct Connect.
Tip: To access your CloudHSM device, you need an AWS CloudHSM client which you will need to install on an EC2 Instance and use certificate-based mutual authentication to create secure (TLS) connections to the HSMs.
You should consider using AWS CloudHSM if you require:
- Keys stored in dedicated, third-party validated hardware security modules under your exclusive control. You can develop applications and integrate them with CloudHSM, and use third-party encryption solutions available from AWS Technology Partners. Examples include EBS volume encryption and S3 object encryption and key management.
- FIPS 140-2 compliance.
- Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
- High-performance in-VPC cryptographic acceleration (bulk crypto).
Best Practice Recommendations
- Use two of more HSM Appliances in different Availability Zones to provide High Availability. The failure of a single HSM appliance in a non–HA design can result in the permanent loss of keys and data.
- High Availability design ensures that Cloud HSM appliances are grouped together to form one logical device and service is maintained even if one or more HSM is not available.
- Use an SSH key for the manager account login
- Use Amazon CloudWatch to monitor CloudHSM metrics for CloudHSM Clusters and for individual HSM instances.
- AWS has administrative credentials to manage the appliance, not the HSM partitions on the appliance. AWS controls the availability of the appliance but is unable to access or use your keys. AWS can disable network access to the appliance and re-initialize the appliance but they cannot extract your keys or cause the appliance to perform cryptographic operations using your keys.
AWS Certification – 900 Practice Exam Questions – Get Prepared for your Exam Day!
Our AWS Exam Simulator with 900 practice exam questions comes with comprehensive explanations that will help you prepare for one of the most sought-after IT Certifications of the year. Register Today and start preparing for your AWS Certification.