Q: What is AWS CloudHSM?
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Q: What is a Hardware Security Module (HSM)?
A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
Q: What can I do with CloudHSM?
You can use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing.
Q: What types of HSMs are available?
As part of the service, AWS currently provides Luna SA HSM appliances from SafeNet, Inc., with version 5 of the Luna SA software.
Q: How does CloudHSM work?
When you sign up for the AWS CloudHSM service you receive dedicated single tenant access to each of your CloudHSM appliances. Each appliance appears as a network resource in your Virtual Private Cloud (VPC). You, not Amazon, initialize and manage the HSM partitions on the HSM. As part of provisioning, you receive administrator credentials for the appliance, and may create an HSM partition on the appliance. After creating an HSM partition, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the HSM.
The cryptographic partition is a logical and physical security boundary that restricts access to your keys, so only you control your keys and operations performed by the HSM. Amazon administrators will manage and monitor the health of the HSM appliance, but do not have access to the cryptographic partition. Your applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM. The client software transparently sets up a secure channel to the HSM appliance using credentials that you create and sends requests on this channel, and the HSM performs the operations and returns the results over the secure channel. The client then returns the result to the application through the cryptographic API.
Q: I don’t currently have a VPC. Can I still use AWS CloudHSM?
No. To protect and isolate your CloudHSM from other Amazon customers, CloudHSM must be provisioned inside a VPC. Creating a VPC is easy. Please see the VPC Getting Started Guide for more information.
Q: How can my application use CloudHSM?
SafeNet has integrated and tested the Luna SA HSM with a number of commercial software solutions. Examples include Oracle Database 11g, Microsoft SQL Server 2008 and 2012, SafeNet ProtectV with virtual Key Secure for EBS volume encryption, and Apache web server SSL termination with private keys stored in the HSM. Please see the CloudHSM Getting Started Guide for a complete list of supported applications and links to the technical application notes that explain how configure your applications with CloudHSM.
If you are developing your own custom application, your application can use the standard APIs supported by the Luna SA HSM, including PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). The SafeNet documentation provides a complete list of supported APIs. Please refer to the CloudHSM Getting Started Guide for code samples and help with getting started.
Q: Can I use CloudHSM to store keys or encrypt data used by other AWS services?
Yes. You can write custom applications and integrate them with CloudHSM, or you can leverage one of the third party encryption solutions available from AWS Technology Partners. Examples include EBS volume encryption and S3 object encryption and key management. Please see the CloudHSM Getting Started Guide for a list of supported applications and links to technical application notes that describe third party solutions that work with CloudHSM.
Q: Can other AWS services use CloudHSM to store and manage keys (for example Amazon S3, Amazon RDS or Amazon Redshift)?
Amazon Redshift works with AWS CloudHSM. Please refer to the Redshift documentation for more details. Over time we plan to further integrate CloudHSM with other AWS services. If this is of interest to you, please let us know.
Q: Where is CloudHSM available?
CloudHSM is available today in the US East (Northern Virginia), US West (Oregon), EU (Ireland), EU (Frankfurt) and Asia Pacific (Sydney) regions. If you are interested in using CloudHSM in any other regions, please Contact Us.
Q: Can I try the CloudHSM service with my applications before I sign up?
Yes. You can try the CloudHSM service for a short trial period. Please Contact Us to schedule a trial. It’s easy to configure a CloudHSM test environment using a CloudFormation template provided by AWS. To learn more, refer to the CloudHSM Getting Started Guide.
Q: How do I get started with CloudHSM?
To request service or to determine if CloudHSM is right for you, please Contact Us. You can also review the provisioning process in the CloudHSM Getting Started Guide.
Q: How long does it take to get CloudHSM service?
Requests for up to two HSM appliances typically can be satisfied within a few business days, but may take longer. Requests for more than two HSM appliances may take several weeks.
Q: How will I be charged and billed for my use of the AWS CloudHSM service?
The CloudHSM service is charged using a one-time upfront fee and an hourly fee for the time that the CloudHSM is provisioned to you. Your CloudHSM service gives you exclusive access to a single HSM. When you start the service, you will be charged a one-time upfront fee. Thereafter, you will be charged hourly until you terminate the service.
Bills are presented monthly. Since different months have different numbers of days, the amount that you see on your bill will vary slightly. Amazon reserves the right to charge for network data transfers in and out of a CloudHSM that exceed 5000 GB per month at a rate of $.02 per GB.
For CloudHSM pricing information, please visit the pricing section on the AWS CloudHSM detail page.
Q: How do I terminate CloudHSM service?
Before ending service, AWS requires you to delete all your cryptographic key material from the HSM appliance. To terminate CloudHSM service, you should:
- (IMPORTANT) Back up the contents of the HSM to another HSM that you control or confirm that the keys stored within the HSM are no longer needed.
- Remove all HSM partitions from the HSM appliance.
- Contact AWS with a request to terminate service.
Q: How does AWS manage the HSM without having access to my encryption keys?
Separation of duties and role-based access control is inherent in the design of the SafeNet Luna SA HSM. AWS has administrative credentials to the appliance, but these credentials can only be used to manage the appliance, not the HSM partitions on the appliance. AWS uses these credentials to monitor and maintain the health and availability of the appliance. You can use syslog and SNMP to monitor the health and availability of an HSM appliance that you are using.
AWS controls availability of the appliance but is unable to access or use your keys. For instance, AWS can remove your network access to the appliance, or can re-initialize the appliance, which will result in destruction of your keys. However, AWS cannot extract your keys or cause the appliance to perform any cryptographic operation using your keys.
AWS is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks. In Luna SA terminology, AWS has Admin credentials to the HSM appliance, but never has Security Officer or Partition credentials. Details about these roles and more information about the Luna SA HSM appliance are available in the topic E - Concepts in the Luna SA documentation.
Q: Can I monitor the HSM appliance?
Yes. The appliance generates logs that can be monitored via syslog. You may use your own syslog endpoint to monitor appliance logins, NTLS connections, environmental conditions, etc. AWS also monitors the appliance for health and availability.
Q: What happens if someone tampers with the HSM appliance?
The SafeNet Luna SA appliance has both physical and logical tamper detection and response mechanisms that trigger zero-ization of the appliance and generate event logs. The HSM is designed to detect tampering if the physical barrier of the HSM appliance is breached. In addition, after three unsuccessful attempts to access an HSM partition with HSM Admin credentials, the HSM appliance erases its HSM partitions. If the HSM detects a tampering attempt, it stops responding for approximately ten minutes and then restarts. After restarting, the HSM generates a local syslog event and if configured for remote syslog monitoring, it sends a syslog message.
For more information, see the SafeNet Luna SA documentation.
Q: What happens in case of failure?
Amazon monitors and maintains the appliance and network for availability and error conditions. If an appliance fails or loses network connectivity, an AWS engineer will investigate. If the outage is short (for example, a transient network event), then service will be restored as soon as possible. If the outage is anticipated to be long (for example, a hardware failure on an HSM appliance), then AWS will provision a new CloudHSM to you and help you migrate your workload to the new appliance.
You can check the health of the service at any time by checking the AWS Service Health Dashboard.
Q: Could I lose my keys if a single HSM appliance fails?
Yes. It is possible to lose your keys if the CloudHSM that you are using fails and you are not using two or more CloudHSMs, or a combination of a CloudHSM and an on-premise HSM, in a high availability mode. Amazon strongly recommends that you use two or more CloudHSMs, in separate Availability Zones, in a high availability mode in order to avoid loss of cryptographic keys.
Q: Can Amazon recover my keys if I lose my credentials to the appliance?
No. Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.
Q: How do I know that I can trust CloudHSM appliances?
The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards. You can find more information about Luna SA regulatory compliance and third party validation on the Luna SA product page.
SafeNet has documented a process that allows you to confirm that you are communicating directly with an HSM appliance. Please refer to How Do I Know That I'm Communicating with an HSM? for more information.
Q: How do I operate a CloudHSM in FIPS 140-2 mode?
The appliance can be operated in FIPS 140-2 Level 2 mode by disabling non-FIPS-compliant algorithms and enabling password authentication in the HSM policy when you create the HSM partition. Please see the Luna SA documentation for full details on this procedure.
If your application requires FIPS 140-2 Level 3, or if you want to use a specific version of the HSM software, please contact us.
Q: How can I securely distribute an HSM partition credential to my instances?
Please refer to the following AWS Security Blog post which describes Using IAM roles to distribute non-AWS credentials to your EC2 instances.
Q: Are there any prerequisites for signing up for CloudHSM?
Yes. In order to sign up for CloudHSM you must first have a Virtual Private Cloud (VPC) in the region where you want CloudHSM service. It’s easy to configure a VPC and a complete CloudHSM test environment using a CloudFormation template provided by AWS. To learn more, refer to the CloudHSM Getting Started Guide
Q: How much capacity do I need?
CloudHSMs are not rate limited; they each run at the full rated capacity of the appliance. You should evaluate your cryptographic workload and compare it against the performance and scale characteristics of the Luna SA appliance, described on the SafeNet Luna SA Product Page.
AWS recommends that you use at least two appliances, and that each appliance is in a high availability (HA) configuration as described in the Luna SA documentation. You can use the SafeNet Luna client to load balance across two or more HSMs.
AWS does not have Security Officer or Cloning Domain credentials for any HSMs that you are using. These credentials are needed to perform backups or to configure high availability. Therefore you are solely responsible for the durability of the key material on the HSMs that you are using.
Q: How do I set up a high availability (HA) configuration?
You can find more information about high availability configuration in the CloudHSM Getting Started Guide. The Luna SA documentation also describes this in detail in the topic Administration & Maintenance / HA and Load Balancing.
Q: How many HSMs can be connected in an HA group?
At this time, the maximum number of HSMs in an HA group is sixteen.
Q: Can I back up the contents of a CloudHSM?
Yes. For security reasons, the HSM is configured in the factory to allow the contents of the HSM to be duplicated only to another HSM. The HSM also requires that you configure the same cloning domain on the source and target HSM devices (your ownership and control of the cloning domain credential gives you and only you the ability to clone the contents of the HSM). You can clone the contents of your CloudHSM to another SafeNet Luna SA using a high availability (HA) configuration or to a SafeNet Luna Backup HSM. You can find more details about cloning and backup in the CloudHSM Getting Started Guide.
Q: Is there an SLA for CloudHSM?
At the present time, there is no SLA for CloudHSM.
Q: How is routine maintenance performed on HSM appliances?
AWS’ routine maintenance procedures for HSM appliances are designed to avoid simultaneous downtime in multiple AZs in the same region.
AWS monitors and maintains the HSM appliances, and may correct minor configuration issues related to availability of the appliance. Such operations should not interfere with your use of the HSM appliance. If a management operation must be performed which could disrupt service (for example, if a security patch must be installed or the device must be rebooted), then AWS will usually attempt to contact you in advance to notify you of the pending change. AWS will not perform routine maintenance on HSM appliances in multiple AZs within the same region within the same 24-hour period.
In unforeseen circumstances, it is possible that AWS might perform emergency maintenance without prior notice. AWS will try to avoid this situation, as well as situations where emergency maintenance is performed within the same 24-hour period on HSM appliances in multiple AZs in the same region.
AWS strongly recommends that you use two or more CloudHSMs, configured for high availability, in separate AZs.
Q: I am having a problem with CloudHSM. What do I do?
Contact AWS Support.