cloudhsm deep-dive · pdf filecloudhsm deep-dive dave walker ... leverage on-prem hsms over...
TRANSCRIPT
![Page 1: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/1.jpg)
©2015, Amazon Web Services, Inc. or its affiliates. All rights reserved
CloudHSM Deep-Dive
Dave Walker – Specialised Solutions Architect Security/Compliance
Amazon Web Services UK Ltd
![Page 2: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/2.jpg)
CloudHSM
• Tamper-Proof and Tamper-Evident– Destroys its stored keys if under attack
• FIPS 140-2 Level 2 certified• Base position is to be a Keystore• Can also be used to timestamp documents• You can send data for encrypt / decrypt• Needs to be backed-up (ideally to HSM on customer premises)• Can be (and should) be combined in HA clusters• Is NOT a key management system
– but can work with some third-party ones• Communicates via:
– PKCS#11– JCE
• Some applications need a “plugin”• Safenet have one for Apache
![Page 3: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/3.jpg)
CloudHSM Integration with S3, EBS, EC2
• S3– Integration using SafeNet KeySecure on EC2– White paper at http://www2.safenet-inc.com/AWS-
guides/SafeNetKMIP_AmazonS3_IntegrationGuide.pdf• EBS and EC2
– Use SafeNet KeySecure (6.1.2 or later) on EC2, backed by CloudHSM, for key management
– Install SafeNet ProtectV Manager on EC2 (c1.medium / m1.medium)– Install ProtectV Client on EC2 instances– Use ProtectV for EBS volume encryption (ext3, ext4, swap)– Supported platforms:
• RHEL 5.8, 6.2, 6.3• CentOS 6.2• Microsoft Windows 2008, 2012
– Encrypt full EBS-backed EC2 instances, including root volumes
![Page 4: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/4.jpg)
AWS Databases and CloudHSM
• Redshift:– When using CloudHSM
• Redshift gets cluster key from HSM
• Redshift generates a database key and encrypts it with the cluster key from the CloudHSM
• Redshift encrypts data with the database key
• Redshift supports re-encryption
• RDS– RDS / Oracle EE can use CloudHSM to store keys as per Oracle Wallet
• So TDE can be HSM-backed
• Note that in-memory database contents (once the database has
been unlocked) are cleartext– RAM encryption is not something AWS has today, but it has been done in other
contexts– Homomorphic encryption
– Proof-of-concept with KVM
![Page 5: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/5.jpg)
SafeNet Product Support for AWSSafeNet Product AWS Service(s) Supported Notes
ProtectV and Virtual
KeySecure for AWS
EC2 or VPC Instances and EBS
Storage
GovCloud (Beta)
• Requires Safenet KeySecure (HW or Virtual)
• Available in AWS MarketPlace, as well as SafeNet sales channels
Virtual KeySecure for AWS CloudHSM • Available in AWS Marketplace
• CloudHSM supports Virtual KeySecure as the hardware root of trust
for vKS master keys
StorageSecure AWS Storage Gateway • Safenet KeySecure Hardware (optional)
• iSCSI integration (however StorageSecure also supports CIFS,
NFS, FTP, TFTP and HTTP protocols.)
Luna SA 7000 HSM CloudHSM
RedShift
RDS (via 3rd party vendor)
• High availability
• Key synchronization
• Key Management
Luna Backup HSM CloudHSM • Key backup
ProtectApp S3 and EBS volumes • Can be integrated with Amazon S3 Encryption Clients and AWS
SDKs (Java and .Net)
• Requires SafeNet KeySecure (HW or virtual)
• Can be installed on an EC2/VPC instance to protect data stored on
EBS volumes.
ProtectFile EBS volumes and S3 • Requires SafeNet KeySecure (HD or Virtual)
![Page 6: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/6.jpg)
Difference between CloudHSM and
KMSCloudHSM
• Single-tenant HSM
• Customer-managed durability and
availability
• Customer managed root of trust
• FIPS 140-2 Validation
• Broad third-party app support
• Symmetric and asymmetric ops
• High fixed price ($16.5k/yr/hsm)
KMS
• Multi-tenant AWS service
• Highly available and durable key
storage and management
• AWS managed root of trust
• Extensive auditing
• Broad support for AWS services
• Symmetric encryption only
• Usage-based pricing
![Page 7: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/7.jpg)
Why Customers Choose CloudHSM
• Reasons include:– Control
• Complete control of encryption keys, AWS cannot access key material
• Fine-grained control of how AWS assets can use your keys
– Compliance
• FIPS 140-2 level 2 or 3 certification
• Common Criteria EAL4 certification
– Performance/Availability
• When required, “local” CloudHSM much better than on-prem
– Network transit times
– Usage patterns
![Page 8: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/8.jpg)
Customer Control Over Keys
• Three reasons for this requirement– Regulatory (hard), Policy (soft) and Trust (soft)
• Soft requirements may be addressed by threat
modelling– KMS can be simpler and less expensive for customer to use
– Important to engage customer’s governance resources
• With CloudHSM, customers have absolute
control and authority over keys through
separation of duties
![Page 9: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/9.jpg)
Separation of Duties
• Separation of duties is enforced by the HSM
appliance itself, using RBAC
Customer control keys
and crypto operations
CloudHSM
AWS manages the
appliance
![Page 10: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/10.jpg)
Third-Party Compliance Validation
• Requirements – PCI or other vertical-specific security standard
– Government workloads (US, Canada, and others)
– Enterprise policies increasingly require FIPS validation
• CloudHSM uses SafeNet Luna SA 7000
appliances– FIPS 140-2 Level 2 Validated
– Common Criteria EAL4 Validated
![Page 11: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/11.jpg)
Performance/Availability Advantages
• Customers may have existing on-prem HSMs
• Applications that require HSM access could
leverage on-prem HSMs over VPN or DX
• Latency and availability characteristics of VPN
or DX make CloudHSM desirable
![Page 12: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/12.jpg)
Amazon Really Can’t Access Keys
• AWS has “appliance admin” to the HSM
• Luna SA separates appliance admin from “security officer”
• Customer initializes HSM themselves via SSH
• AWS never sees partition credentials
• Device is automatically wiped if unauthorised access attempted
• Bottom line – you don’t have to trust AWS, you are trusting the HSM vendor (SafeNet) and and third party FIPS/CC validations
![Page 13: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/13.jpg)
Operations
• Each HSM is dedicated to one customer– No sharing or partitioning of the appliance
• Customer is responsible for operating the HSMs in HA mode– SafeNet Client handles replication to multiple HSMs (up to 16)
– SafeNet Client load balances across available HSMs
• Password authentication controls access to the HSM– PEDs (Pin Entry Devices) are not currently supported
• AWS monitors & manages the devices and network infrastructure
• See FAQ and Technical docs for additional details
![Page 14: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/14.jpg)
• Self-service provisioning and management now supported through a public API– CreateHSM and DeleteHSM to provision and terminate HSMs
– ModifyHSM permits changing the network configuration as well as setting up syslog forwarding
• ListHSMs and DescribeHSM allow discovery and querying of provisioned HSMs
• ListAvailableZones provides visibility into where CloudHSM capacity is available
CloudHSM Public API and SDK
![Page 15: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/15.jpg)
• Provisioning and de-provisioning– Easy to provision an HSM, intialise it, clone keys from existing
HSMs
• Easier HSM management– Lots of automation in the CLI to reduce management effort
• Simpler HA configuration– Help you build and maintain HSM high availability (HA)
configurations
– From 9 manual steps, interacting with appliance shell directly
– To 2 simpler steps: create-hapg, add-hsm-to-hapg (for each HSM)
• Source code available via open source license
CloudHSM Command Line Interface (CLI) Tools
![Page 16: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/16.jpg)
• Transparent data encryption support for RDS
Oracle databases
• Store master encryption keys in CloudHSM
instances
• High availability support for two or more HSMs
• Up to 20 separate databases per HSM
CloudHSM for RDS Oracle TDE
![Page 17: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/17.jpg)
Auditing
• CloudTrail– Track resource changes
– Audit activities for security and compliance purposes
– Review all CloudHSM API calls
• Syslog– Audit operations on the HSM appliance
– Send syslog to customer-built and managed collector
![Page 18: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/18.jpg)
CloudHSM Use Cases
![Page 19: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/19.jpg)
EBS Volume Encryption
• Master key stored in CloudHSM
• SafeNet ProtectV & KeySecure
• Instances with ProtectV client
authenticate to KeySecure
• ProtectV client encrypts all I/O to
EBS volume (AES256)
Availability Zone
CloudHSM
CustomerApplications
SafeNetKeySecure
SafeNetProtectV
Client
![Page 20: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/20.jpg)
Redshift Encryption
• Cluster master key in CloudHSM
• Direct integration – no client software required
Your
applications
in Amazon
EC2
Amazon Redshift
Cluster
Your encrypted data
in Amazon Redshift
AWS CloudHSM
![Page 21: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/21.jpg)
Database Encryption (non-RDS)
• Customer-managed
database in EC2– Oracle 11g & 12c with
Transparent Data Encryption
(TDE)
– Microsoft SQL Server 2008 &
2012 with TDE
– Master key in CloudHSM
AWS
CloudHSM
Your database
with TDE in
Amazon EC2
Master key is created in
the HSM and never
leaves
Your applications
in Amazon EC2
![Page 22: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/22.jpg)
Custom Software Applications
• Architectural building block to help you secure
your applications
• Use standard libraries, with back-end HSM
rather than software-based crypto– PKCS#11, JCA/JCE, Microsoft CAPI/CNG/EKM
• Code examples and details in the CloudHSM
User Guide make it easier to get started
![Page 23: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/23.jpg)
Other Use Cases
• Customer use cases continue to emerge:– Enterprises using on-prem HSMs and want to move these workloads to the cloud
– Startups who want to offer high assurance services and achieve compliance
– Enterprises who are not using HSMs for some of their on-prem apps but who want to use HSMs for these apps in the cloud
• Examples:– Object encryption
– Digital Rights Management (DRM)
– Document signing, secure document management & secure document repository
– Payments, financial applications & transaction processing
– Privileged account management
– Certification authority (CA)
![Page 24: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/24.jpg)
Using CloudHSM
![Page 25: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/25.jpg)
Detailed Examples
• Building the CloudHSM Environment
• Configuring High Availability
• Integrating with RDS
![Page 26: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/26.jpg)
Building a CloudHSM Environment
• Create customer
infrastructure using CF
template
• Install the CLI Tools
• Provision HSMs
• Initialise HSMs
![Page 27: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/27.jpg)
Create Infrastructure with CF
![Page 28: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/28.jpg)
Create Infrastructure with CF
Lookup your AZ identifiers on the EC2
Dashboard, and use those names
![Page 29: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/29.jpg)
Install CLI Tools on Control Instance
• SSH to control instance deployed by CF Template
• Download and install the CloudHSM CLI Tools# Install python 2.7
sudo yum install python27
wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
sudo python2.7 ez_setup.py
# Download and install the CloudHSM CLI Tools
wget https://s3.amazonaws.com/cloudhsm-software/CloudHsmCLI.egg
sudo easy_install-2.7 -s /usr/local/bin CloudHsmCLI-beta.egg
cloudhsm version
{
"Version": ”<version>"
}
• Assign an IAM role to your instance to permit CloudHSM API access
![Page 30: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/30.jpg)
Provision HSMs
• Create two HSMs (one for each subnet)
$ cloudhsm -c cloudhsm.conf create-hsm --ssh-public-key-file
cloudhsm_ssh.pub --iam-role-arn
arn:aws:iam::315160724404:role/CloudHSM-FRA-CloudHsmRole-
1ZEAT0Z2PB8P --subnet-id subnet-d244b0bb
{
"HsmArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hsm-
f32462d6",
"RequestId": "e55c9da1-7b5b-11e4-9222-dd57de14ff9c"
}
![Page 31: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/31.jpg)
Provision HSMs
• Describe status, wait until status changes from “PENDING” to “RUNNING”
$ cloudhsm -c cloudhsm.conf describe-hsm -H arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6
{
"EniId": "eni-047fbd6d",
"EniIp": "10.0.201.252",
"HsmArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6",
"IamRoleArn": "arn:aws:iam::315160724404:role/CloudHSM-FRA-CloudHsmRole-1ZEAT0Z2PB8P",
"Partitions": [],
"RequestId": "2179b6f0-7b5c-11e4-a252-9d68fcf58947",
"SerialNumber": "472673",
"SoftwareVersion": "5.1.0-25",
"SshPublicKey": “…",
"Status": ”RUNNING",
"SubnetId": "subnet-d244b0bb",
"SubscriptionStartDate": "2014-12-04T02:18:56.292Z",
"SubscriptionType": "PRODUCTION",
"VendorName": "SafeNet Inc."
}
![Page 32: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/32.jpg)
Provision HSMs
• Look for ENI “CloudHSM Managed Interface, DO
NOT DELETE!” in the description
![Page 33: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/33.jpg)
Provisioning HSMs
• Change the ENI security group to the one with the description “Allows SSH and NTLS from the public subnet”
![Page 34: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/34.jpg)
Initialize the HSM
$cloudhsm -c cloudhsm.conf initialize-hsm -H
arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6 -
-label hsmLabel --cloning-domain cloningDomain --so-
password sopassword
{
"Status": "Initialization of the HSM successful"
}
![Page 35: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/35.jpg)
Configure High Availability
• Create an HAPG (high availability partition group)
$ cloudhsm -c cloudhsm.conf create-hapg --group-label
Partition_001
Partition_001
{
"HapgArn": "arn:aws:cloudhsm:eu-central-1:315160724404:hapg-
8e3be050",
"RequestId": "ce3e1b17-7b64-11e4-a252-9d68fcf58947"
}
![Page 36: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/36.jpg)
Configure High Availability
• Add the HSMs to the HAPGcloudhsm -c cloudhsm.conf add-hsm-to-hapg -H
arn:aws:cloudhsm:eu-central-1:315160724404:hsm-f32462d6 --
hapg-arn arn:aws:cloudhsm:eu-central-1:315160724404:hapg-
8e3be050 --cloning-domain cloningDomain --partition-password
partitionPassword --so-password sopassword
{
"Status": "Addition of HSM arn:aws:cloudhsm:eu-central-
1:315160724404:hsm-f32462d6 to HAPG arn:aws:cloudhsm:eu-
central-1:315160724404:hapg-8e3be050 successful"
}
(then do it again for the second HSM)
![Page 37: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/37.jpg)
Done!
• After this, you are ready to set up custom
software with SafeNet clients, RDS integration,
customer-managed databases, and more.
• Comprehensive documentation available at
http://aws.amazon.com/cloudhsm
![Page 38: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/38.jpg)
CloudHSM Pricing and Trials
• HSM provisioned in any region has a $5,000
one-time charge, then metered hourly after that
• There is no “stop” only “terminate”– We know this is challenging, since re-provisioning will incur
another $5,000 upfront charge
• 30-day trials are available for customers on
premium support– Access these by opening a case with dev support
![Page 39: CloudHSM Deep-Dive · PDF fileCloudHSM Deep-Dive Dave Walker ... leverage on-prem HSMs over VPN or DX ... • AWS monitors & manages the devices and network infrastructure](https://reader034.vdocuments.net/reader034/viewer/2022051720/5a78ac3d7f8b9ae6228b4657/html5/thumbnails/39.jpg)
Conclusion
• HSMs, for basic key storage and bulk crypto,
are available in AWS, if you need them
• They’ll have better performance that on-prem
HSMs, owing to co-location
• CloudHSM (and HSMs in general) aren’t for
everyone– Customers need trained staff, tight operational practice