AWS Security Blog

Tag: AWS CloudHSM

AWS Security Profiles: Avni Rambhia, Senior Product Manager, CloudHSM

In the weeks leading up to re:Invent 2019, we’ll share conversations we’e had with people at AWS who will be presenting at the event so you can learn more about them and some of the interesting work that they’re doing. How long have you been at AWS, and what do you do enjoy most in […]

Read More

How to migrate a digital signing workload to AWS CloudHSM

Note from July 18, 2019: We added information about AWS Certificate Manager (ACM) Private Certificate Authority (CA) to the introduction. Is your on-premises Hardware Security Module (HSM) at end-of-life? Does continued maintenance of your on-premises hardware take a lot of time and cost a lot of money? You should consider migrating your workloads to AWS […]

Read More

How to BYOK (bring your own key) to AWS KMS for less than $15.00 a year using AWS CloudHSM

Note: BYOK is helpful for certain use cases, but I recommend that you familiarize yourself with KMS best practices before you adopt this approach. You can review best practices in the AWS Key Management Services Best Practices (.pdf) whitepaper. May 14, 2019: We’ve updated a sentence to clarify that this solution does not include instructions […]

Read More

How to migrate your EC2 Oracle Transparent Data Encryption (TDE) database encryption wallet to CloudHSM

In this post, I’ll show you how to migrate an encryption wallet for an Oracle database installed on Amazon EC2 from using an outside HSM to using AWS CloudHSM. Transparent Data Encryption (TDE) for Oracle is a common use case for Hardware Security Module (HSM) devices like AWS CloudHSM. Oracle TDE uses what is called […]

Read More
Architecture diagram

How to run AWS CloudHSM workloads on Docker containers

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. Your HSMs are part of a CloudHSM cluster. CloudHSM automatically manages synchronization, high availability, and […]

Read More

Are KMS custom key stores right for you?

You can use the AWS Key Management Service (KMS) custom key store feature to gain more control over your KMS keys. The KMS custom key store integrates KMS with AWS CloudHSM to help satisfy compliance obligations that would otherwise require the use of on-premises hardware security modules (HSMs) while providing the AWS service integrations of […]

Read More

How to clone an AWS CloudHSM cluster across regions

You can use AWS CloudHSM to generate, store, import, export, and manage your cryptographic keys. It also permits hash functions to compute message digests and hash-based message authentication codes (HMACs), as well as cryptographically sign data and verify signatures. To help ensure redundancy of data and simplification of the disaster recovery process, you’ll typically clone […]

Read More

Using AWS CloudHSM-backed certificates with Microsoft Internet Information Server

SSL/TLS certificates are used to create encrypted sessions to endpoints such as web servers. If you want to get an SSL certificate, you usually start by creating a private key and a corresponding certificate signing request (CSR). You then send the CSR to a certificate authority (CA) and receive a certificate. When a user seeks […]

Read More

How to Update AWS CloudHSM Devices and Client Instances to the Software and Firmware Versions Supported by AWS

Note from September 18, 2017: In this blog post, “AWS CloudHSM” refers to the product that’s now known as AWS CloudHSM Classic. As I explained in my previous Security Blog post, a hardware security module (HSM) is a hardware device designed with the security of your data and cryptographic key material in mind. It is […]

Read More

In Case You Missed These: AWS Security Blog Posts from June, July, and August

In case you missed any AWS Security Blog posts from June, July, and August, they are summarized and linked to below. The posts are shown in reverse chronological order (most recent first), and the subject matter ranges from a tagging limit increase to recording SSH sessions established through a bastion host. August August 16: Updated […]

Read More