When you sign up for the AWS CloudHSM service you receive dedicated single tenant access to each of your CloudHSM appliances. Each appliance appears as a network resource in your Virtual Private Cloud (VPC). You, not Amazon, initialize and manage the HSM partitions on the HSM. As part of provisioning, you receive administrator credentials for the appliance, and may create an HSM partition on the appliance. After creating an HSM partition, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the HSM.The cryptographic partition is a logical and physical security boundary that restricts access to your keys, so only you control your keys and operations performed by the HSM. Amazon administrators will manage and monitor the health of the HSM appliance, but do not have access to the cryptographic partition. Your applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM. The client software transparently sets up a secure channel to the HSM appliance using credentials that you create and sends requests on this channel, and the HSM performs the operations and returns the results over the secure channel. The client then returns the result to the application through the cryptographic API.
SafeNet has integrated and tested the Luna SA HSM with a number of commercial software solutions. Examples include Oracle Database 11g, Microsoft SQL Server 2008 and 2012, SafeNet ProtectV with virtual Key Secure for EBS volume encryption, and Apache web server SSL termination with private keys stored in the HSM. Please see the CloudHSM Getting Started Guide for a complete list of supported applications and links to the technical application notes that explain how configure your applications with CloudHSM.
If you are developing your own custom application, your application can use the standard APIs supported by the Luna SA HSM, including PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). The SafeNet documentation provides a complete list of supported APIs. Please refer to the CloudHSM Getting Started Guide for code samples and help with getting started.
The CloudHSM service is charged using a one-time upfront fee and an hourly fee for the time that the CloudHSM is provisioned to you. Your CloudHSM service gives you exclusive access to a single HSM. When you start the service, you will be charged a one-time upfront fee. Thereafter, you will be charged hourly until you terminate the service.
Bills are presented monthly. Since different months have different numbers of days, the amount that you see on your bill will vary slightly. Amazon reserves the right to charge for network data transfers in and out of a CloudHSM that exceed 5000 GB per month at a rate of $.02 per GB.
For CloudHSM pricing information, please visit the pricing section on the AWS CloudHSM detail page.
Separation of duties and role-based access control is inherent in the design of the SafeNet Luna SA HSM. AWS has administrative credentials to the appliance, but these credentials can only be used to manage the appliance, not the HSM partitions on the appliance. AWS uses these credentials to monitor and maintain the health and availability of the appliance. You can use syslog and SNMP to monitor the health and availability of an HSM appliance that you are using.
AWS controls availability of the appliance but is unable to access or use your keys. For instance, AWS can remove your network access to the appliance, or can re-initialize the appliance, which will result in destruction of your keys. However, AWS cannot extract your keys or cause the appliance to perform any cryptographic operation using your keys.
AWS is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks. In Luna SA terminology, AWS has Admin credentials to the HSM appliance, but never has Security Officer or Partition credentials. Details about these roles and more information about the Luna SA HSM appliance are available in the topic E - Concepts in the Luna SA documentation.
The SafeNet Luna SA appliance has both physical and logical tamper detection and response mechanisms that trigger zeroization of the appliance and generate event logs. The HSM is designed to detect tampering if the physical barrier of the HSM appliance is breached. In addition, after three unsuccessful attempts to access an HSM partition with HSM Admin credentials, the HSM appliance erases its HSM partitions. If the HSM detects a tampering attempt, it stops responding for approximately ten minutes and then restarts. After restarting, the HSM generates a local syslog event and if configured for remote syslog monitoring, it sends a syslog message.
For more information, see the SafeNet Luna SA documentation.
Amazon monitors and maintains the appliance and network for availability and error conditions. If an appliance fails or loses network connectivity, an AWS engineer will investigate. If the outage is short (for example, a transient network event), then service will be restored as soon as possible. If the outage is anticipated to be long (for example, a hardware failure on an HSM appliance), then AWS will provision a new CloudHSM to you and help you migrate your workload to the new appliance.
You can check the health of the service at any time by checking the AWS Service Health Dashboard.
The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards. You can find more information about Luna SA regulatory compliance and third party validation on the Luna SA product page.
SafeNet has documented a process that allows you to confirm that you are communicating directly with an HSM appliance. Please refer to How Do I Know That I'm Communicating with an HSM? for more information.
The appliance can be operated in FIPS 140-2 Level 2 mode by disabling non-FIPS-compliant algorithms and enabling password authentication in the HSM policy when you create the HSM partition. Please see the Luna SA documentation for full details on this procedure.
If your application requires FIPS 140-2 Level 3, or if you want to use a specific version of the HSM software, please contact us.
CloudHSMs are not rate limited; they each run at the full rated capacity of the appliance. You should evaluate your cryptographic workload and compare it against the performance and scale characteristics of the Luna SA appliance, described on the SafeNet Luna SA Product Page.
AWS recommends that you use at least two appliances, and that each appliance is in a high availability (HA) configuration as described in the Luna SA documentation. You can use the SafeNet Luna client to load balance across two or more HSMs.
AWS does not have Security Officer or Cloning Domain credentials for any HSMs that you are using. These credentials are needed to perform backups or to configure high availability. Therefore you are solely responsible for the durability of the key material on the HSMs that you are using.
AWS’ routine maintenance procedures for HSM appliances are designed to avoid simultaneous downtime in multiple AZs in the same region.
AWS monitors and maintains the HSM appliances, and may correct minor configuration issues related to availability of the appliance. Such operations should not interfere with your use of the HSM appliance. If a management operation must be performed which could disrupt service (for example, if a security patch must be installed or the device must be rebooted), then AWS will usually attempt to contact you in advance to notify you of the pending change. AWS will not perform routine maintenance on HSM appliances in multiple AZs within the same region within the same 24-hour period.
In unforeseen circumstances, it is possible that AWS might perform emergency maintenance without prior notice. AWS will try to avoid this situation, as well as situations where emergency maintenance is performed within the same 24-hour period on HSM appliances in multiple AZs in the same region.
AWS strongly recommends that you use two or more CloudHSMs, configured for high availability, in separate AZs.