Q: What is AWS CloudHSM?
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Q: What is a Hardware Security Module (HSM)?
A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
Q: What can I do with CloudHSM?
You can use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing. You can read about several common use cases for CloudHSM in this AWS Security blog post.
Q: What types of HSMs are available?
As part of the service, AWS currently provides Luna SA 7000 HSM appliances from SafeNet, Inc., with version 5 of the Luna SA software.
Q: How does CloudHSM work?
When you use the AWS CloudHSM service you receive dedicated single tenant access to each CloudHSM appliance. Each appliance appears as a network resource in your Virtual Private Cloud (VPC). You, not Amazon, initialize and manage the HSM partitions on the HSM. As part of provisioning, you receive administrator credentials for the appliance, and may create an HSM partition on the appliance. After creating an HSM partition, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the HSM.
The cryptographic partition is a logical and physical security boundary that restricts access to your keys, so only you control your keys and operations performed by the HSM. Amazon administrators will manage and monitor the health of the HSM appliance, but do not have access to the cryptographic partition. Your applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM. The client software transparently sets up a secure channel to the HSM appliance using credentials that you create and sends requests on this channel, and the HSM performs the operations and returns the results over the secure channel. The client then returns the result to the application through the cryptographic API.
Q: I don’t currently have a VPC. Can I still use AWS CloudHSM?
No. To protect and isolate your CloudHSM from other Amazon customers, CloudHSM must be provisioned inside a VPC. Creating a VPC is easy. Please see the VPC Getting Started Guide for more information.
Q: Does my application need to reside in the same VPC as the CloudHSM instance?
No, but the server or instance on which your application and the HSM client is running must have network (IP) reachability to the HSM. You can establish network connectivity from your application to the HSM in many ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect. Please see the VPC Peering Guide and VPC User Guide for more details.
Q: Does CloudHSM work with on-premises HSMs?
Yes. The software and firmware versions of your on-premises HSMs must match those of the CloudHSM instances. You can connect CloudHSM instances in your VPC to your datacenter using the VPN capability built into VPC or with AWS Direct Connect.
Q: How can my application use CloudHSM?
SafeNet has integrated and tested the Luna SA HSM with a number of commercial software solutions. Examples include Oracle Database 11g, Microsoft SQL Server 2008 and 2012, SafeNet ProtectV with virtual Key Secure for EBS volume encryption, and Apache web server SSL termination with private keys stored in the HSM. Please see the CloudHSM User Guide for a complete list of supported applications and links to the technical application notes that explain how configure your applications with CloudHSM.
If you are developing your own custom application, your application can use the standard APIs supported by the Luna SA HSM, including PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). The SafeNet documentation provides a complete list of supported APIs. Please refer to the CloudHSM User Guide for code samples and help with getting started.
Q: Can I use CloudHSM to store keys or encrypt data used by other AWS services?
Yes. You can write custom applications and integrate them with CloudHSM, or you can leverage one of the third party encryption solutions available from AWS Technology Partners. Examples include EBS volume encryption and S3 object encryption and key management. Please see the CloudHSM User Guide for a list of supported applications and links to technical application notes that describe third party solutions that work with CloudHSM.
Q: Can other AWS services use CloudHSM to store and manage keys (for example Amazon S3 or Amazon Redshift)?
Amazon Relational Database Service (RDS) for Oracle Database and Amazon Redshift can be configured to store master keys in CloudHSM instances. Please refer to the relevant Amazon RDS documentation or Amazon Redshift documentation for more details. Over time we may integrate CloudHSM with other AWS services. If this is of interest to you, please let us know.
Q: Can CloudHSM be used to perform personal identification number (PIN) block translation or other cryptographic operations used with debit payment transactions?
The Luna SA HSM is a general purpose HSM that is not capable of supporting these operations.
Q: Where is CloudHSM available?
CloudHSM is available today in the US East (Northern Virginia), US East (Ohio), US West (Northern California), US West (Oregon), EU (Ireland), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney) and AWS GovCloud (US) regions. If you are interested in using CloudHSM in any other regions, please Contact Us. You can find availability information for AWS services on the AWS Products and Services by Region page.
Q: How do I get started with CloudHSM?
You can provision a CloudHSM instance with a few API calls through the AWS SDK, API or via the CloudHSM Command Line Interface Tools. To learn more, please see the CloudHSM User Guide for information about getting started with the CLI Tools, the CloudHSM Developer Guide for information about the API, or the Tools for Amazon Web Services page for more information about the SDK. If you want to start with a free trial, see the CloudHSM Free Trial page for more information.
Q: How long does it take to get CloudHSM service?
Requests for HSM appliances typically can be satisfied within 15 minutes through the AWS API, SDK, or CloudHSM CLI Tools.
Q: How do I terminate CloudHSM service?
Before ending service, AWS requires you to delete all your cryptographic key material from the HSM appliance. After you delete (zeroize) all of your key material, you can use the CloudHSM API, SDK, or CLI Tools to stop using the service, or you can contact us for assistance. Please refer to the CloudHSM User Guide for further instructions.
Q: How will I be charged and billed for my use of the AWS CloudHSM service?
You will be charged an upfront fee for each CloudHSM instance you launch, and an hourly fee for each hour thereafter until you terminate the instance. Amazon reserves the right to charge for network data transfers in and out of a CloudHSM that exceed 5000 GB per month. For more information, please visit the AWS CloudHSM pricing page.
Q: Is there a Free Tier for the CloudHSM service?
No, but you may be eligible for a CloudHSM Free Trial.
Q: Do I need to purchase any licenses for the HSM to use the CloudHSM service?
No. The CloudHSM service includes everything you need to allow you to connect as many as 800 clients to the HSM and use 20 partitions on the HSM.
Q: Are there any prerequisites for signing up for CloudHSM?
Yes. In order to start using CloudHSM there are a few prerequisites, including a Virtual Private Cloud (VPC) in the region where you want CloudHSM service. It’s easy to configure a VPC and a complete CloudHSM test environment using a CloudFormation template provided by AWS. Refer to the CloudHSM User Guide for more details.
Q: How much capacity do I need?
CloudHSM instances are not rate limited; they run at the full rated capacity of the HSM appliance. You should evaluate your cryptographic workload and compare it against the performance and scale characteristics of the Luna SA appliance, described on the SafeNet Luna SA Product Page.
Q: Which versions of CloudHSM firmware and software are supported?
Two versions of the SafeNet appliance software and firmware are currently supported: 5.1.5/6.2.1 (FIPS validated) and 5.3.5/6.10.2 (FIPS candidate). Customers requiring other versions to support their application should contact AWS Support.
Q: Can I upgrade the firmware or software of the HSM?
Maintaining the appliance firmware and software is the responsibility of the customer. Upgrade instructions for supported versions can be found in the CloudHSM Upgrade Guide.
Q: How many HSM appliances will I need?
AWS strongly recommends that you use at least two appliances, and that each appliance is in a high availability (HA) configuration as described in the CloudHSM User Guide. You can use the SafeNet Luna client to load balance across two or more HSMs.
Q: Who is responsible for key durability?
AWS does not have Security Officer or Cloning Domain credentials for any HSMs that you are using. These credentials are needed to perform backups or to configure high availability. Therefore you are solely responsible for the durability of the key material on the HSMs that you are using.
Q: How do I set up a high availability (HA) configuration?
You can find more information about high availability configuration in the CloudHSM User Guide. The CloudHSM CLI Tools are designed to simplify configuration and operations using high availability HSM configurations.
Q: How many HSMs can be connected in an HA group?
At this time, the maximum number of HSMs in an HA group is sixteen.
Q: Can I back up the contents of a CloudHSM?
Yes. For security reasons, the HSM is configured in the factory to allow the contents of the HSM to be duplicated only to another HSM. The HSM also requires that you configure the same cloning domain on the source and target HSM devices (your ownership and control of the cloning domain credential gives you and only you the ability to clone the contents of the HSM). You can clone the contents of your CloudHSM to another SafeNet Luna SA using a high availability (HA) configuration or to a SafeNet Luna Backup HSM. The CloudHSM CLI Tools are designed to simplify cloning and other operations using high availability HSM configurations.
Q: Do I have to purchase the SafeNet Luna Backup HSM in order to use the CloudHSM service?
No. The Luna Backup HSM is optional.
Q: Where can I purchase the SafeNet Luna Backup HSM?
You can purchase it directly from SafeNet using the following link: http://www.safenet-inc.com/request-information/
Q: Is there an SLA for CloudHSM?
At the present time, there is no SLA for CloudHSM.
Q: Do I share the HSM instance with other AWS customers?
No. As part of the service you receive dedicated single tenant access to the HSM appliance.
Q: How does AWS manage the HSM without having access to my encryption keys?
Separation of duties and role-based access control is inherent in the design of the SafeNet Luna SA HSM. AWS has administrative credentials to the appliance, but these credentials can only be used to manage the appliance, not the HSM partitions on the appliance. AWS uses these credentials to monitor and maintain the health and availability of the appliance. You can use syslog and SNMP to monitor the health and availability of an HSM appliance that you are using.
AWS controls availability of the appliance but is unable to access or use your keys. For instance, AWS can remove your network access to the appliance, or can re-initialize the appliance, which will result in destruction of your keys. However, AWS cannot extract your keys or cause the appliance to perform cryptographic operations using your keys.
AWS is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks. In Luna SA terminology, AWS has Admin credentials to the HSM appliance, but never has Security Officer or Partition credentials. Details about these roles and more information about the Luna SA HSM appliance are available in the topic E - Concepts in the Luna SA documentation.
Q: Can I monitor the HSM appliance?
Yes. The appliance generates logs that can be monitored via syslog. You may use your own syslog endpoint to monitor appliance logins, NTLS connections, environmental conditions, etc. AWS also monitors the appliance for health and availability.
Q: What happens if someone tampers with the HSM appliance?
The SafeNet Luna SA appliance has both physical and logical tamper detection and response mechanisms that trigger key deletion (zeroization) of the appliance and generate event logs. The HSM is designed to detect tampering if the physical barrier of the HSM appliance is breached. In addition, after three unsuccessful attempts to access an HSM partition with HSM Admin credentials, the HSM appliance erases its HSM partitions. If the HSM detects a tampering attempt, it stops responding for approximately ten minutes and then restarts. After restarting, the HSM generates a local syslog event and if configured for remote syslog monitoring, it sends a syslog message. For more information, see the SafeNet Luna SA documentation.
Q: What happens in case of failure?
Amazon monitors and maintains the appliance and network for availability and error conditions. If an appliance fails or loses network connectivity, an AWS engineer will investigate. If the outage is short (for example, a transient network event), then service will be restored as soon as possible. If the outage is anticipated to be long (for example, a hardware failure on an HSM appliance), then AWS will either notify you so you can provision a new CloudHSM instance yourself, or provision a replacement instance and notify you that it is ready, so you can migrate your workload to the new appliance.
If you previously used the CLI Tools to configure HA partition groups, you can clone all of the keys from one HSM to another using the ‘clone-hsm’ command. You can check the health of an individual HSM using the CloudHSM API, SDK, or CLI Tools, and you can check the overall health of the service at any time using the AWS Service Health Dashboard.
Q: Could I lose my keys if a single HSM appliance fails?
Yes. It is possible to lose your keys if the CloudHSM instance that you are using fails and you are not using two or more CloudHSM instances, or a combination of a CloudHSM and an on-premises HSM, in a high availability mode. Amazon strongly recommends that you use two or more CloudHSM instances, in separate Availability Zones, in a high availability mode in order to avoid loss of cryptographic keys.
Q: Can Amazon recover my keys if I lose my credentials to the appliance?
No. Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.
Q: How do I know that I can trust CloudHSM appliances?
The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards. You can find more information about Luna SA regulatory compliance and third party validation on the Luna SA product page.
SafeNet has documented a process that allows you to confirm that you are communicating directly with an HSM appliance. Please refer to How Do I Know That I'm Communicating with an HSM? for more information.
Q: How do I operate a CloudHSM in FIPS 140-2 mode?
The appliance can be operated in FIPS 140-2 Level 2 mode by disabling non-FIPS-compliant algorithms and enabling password authentication in the HSM policy when you create the HSM partition. Please see the Luna SA documentation for full details on this procedure.
Q: Does the CloudHSM service support FIPS 140-2 Level 3?
No. The Luna SA as it is configured for the CloudHSM service with password-based authentication does not support FIPS 140-2 Level 3.
Q: Does the CloudHSM appliance (Luna SA) meet any of the requirements for FIPS 140-2 Level 3?
Yes. The SafeNet Luna SA meets the physical security, EMI/EMC, and design assurance requirements for FIPS 140-2 Level 3. For more information, please refer to the Non-proprietary Security Policy for Luna® PCI-e Cryptographic Module.
Q: How can I securely distribute an HSM partition credential to my instances?
Please refer to the following AWS Security Blog post which describes Using IAM roles to distribute non-AWS credentials to your EC2 instances.
Q: Can I get a history of all CloudHSM API calls made from my account?
Yes. AWS CloudTrail records AWS API calls for your account. The AWS API call history produced by CloudTrail lets you perform security analysis, resource change tracking, and compliance auditing. Learn more about CloudTrail at the CloudTrail home page, and turn it on via CloudTrail's AWS Management Console.
Q: Which events are not logged in CloudTrail?
CloudTrail does not include any of the HSM device or access logs, but you can collect logs from the HSM using syslog.
Q: Which AWS compliance initiatives include CloudHSM?
CloudHSM is included in the AWS Payment Card Industry (PCI) Data Security Standard (DSS) (PCI-DSS), Service Organization Control (SOC) 1, SOC 2, and SOC 3 audits. Please refer to the AWS Compliance site for more information about these compliance programs, and to learn more about the security controls in place for CloudHSM.
Q: How can I request compliance reports that include CloudHSM in scope?
You can request compliance reports through your Business Development representative. If you don’t have one, you can request one here.
Q: How many cryptographic operations per second are supported?
AWS encourages you to measure the performance parameters that are important for your applications before deploying production applications that have performance dependencies on the CloudHSM service. You can also review SafeNet’s performance results. Please contact us if you have specific questions.
Q: How many keys can be stored on a CloudHSM instance?
As configured for the CloudHSM service, the Luna SA HSM has 2 MB of key and object storage. CloudHSM applications can typically store approximately 14,000 symmetric keys, 1,200 RSA 2048 key pairs, or between 4000 and 6000 ECDSA key pairs, depending on which curve is used. The number of keys your application is able to store depends on the application and how much additional space is consumed with metadata for each key. AWS encourages you to test and measure capacity parameters that are important for your application.
Q: How many simultaneous client sessions are supported?
The SafeNet Luna SA is designed to support 800 simultaneous client connections. AWS encourages you to test and measure capacity and performance parameters that are important for your application.
Q: What is Transparent Data Encryption (TDE) and how is it relevant to Amazon RDS?
Transparent Data Encryption (TDE) is a feature of Oracle Database for encrypting the data in a database without the need for users to manage the encryption key. Amazon Relational Database Service (Amazon RDS) for Oracle supports TDE for Oracle Database 11g Enterprise Edition.
Q: What is CloudHSM for Amazon RDS Oracle TDE?
CloudHSM for Amazon RDS Oracle TDE enables Transparent Data Encryption, a standard feature of Oracle 11g, for encrypting the database in a way that is transparent to your applications, while creating and storing the master encryption key on CloudHSM devices that you control.
Q: What can I do with CloudHSM for Amazon RDS Oracle TDE?
You can encrypt your Amazon RDS Oracle database using TDE with a master encryption key created and stored in CloudHSM appliances that you control. The Amazon RDS database instance cannot start unless you provide access to the master key that is created and stored in the HSM hardware. Storing the master encryption key in a third-party validated HSM that you control can help you meet strict regulatory and compliance requirements for strong key protection.
Q: How do I get started with CloudHSM for Amazon RDS Oracle TDE?
You can use a CloudFormation template provided by AWS to configure the prerequisites for CloudHSM, or you can configure these prerequisites manually. Then create two or three CloudHSM instances using the CLI Tools. With a couple more CLI Tools commands, initialize and configure the CloudHSM instances with a high availability (HA) configuration. Finally, create an Amazon RDS database instance and configure it to use the HSM HA group that you created and provide your HSM partition credential to Amazon RDS. Refer to the Amazon RDS User Guide for more details.
Q: How can I make sure the TDE master key is available to Amazon RDS?
AWS recommends using three HSMs in a high availability configuration with Amazon RDS. You can use the CloudHSM CLI Tools to configure a high availability (HA) group of CloudHSM appliances.
Q: Which database engines does CloudHSM for Amazon RDS Oracle TDE work with?
Oracle Database 11g Enterprise Edition is supported. Please contact us if you are interested in using CloudHSM with another database engine or with a different version of the Oracle database.
Q: How many database instances can share a single CloudHSM partition?
Storing master keys from different database instances on the same partition is supported by Oracle and RDS, so you are limited only by the storage space on the HSM.
Q: How is my data protected with CloudHSM for Amazon RDS Oracle?
CloudHSM for Amazon RDS Oracle TDE uses the Oracle TDE feature to encrypt your database. Rather than storing the master encryption key in the Oracle software wallet, the master key is stored in an HSM. The Oracle database documentation provides more details about the operation of Oracle TDE.
Q: How can I change (rotate) the database master encryption key?
AWS automatically rotates the master encryption key once per year. AWS can also rotate the master key by request. Rotating the master key creates a new key and retains the old keys in the HSM, which consumes key storage space on the HSM. Storage space on the HSM is very limited and excessive key rotations could exhaust the storage capacity of the HSM.
Q: When are master keys created in the HSM?
A new master key is created when creating a new database instance (including restoring a database from a backup) if an option group with the TDE-with-CloudHSM option enabled is applied to the instance, and when AWS rotates the master key.
Q: Can Amazon recover my keys if I lose my credentials to the HSM?
No. Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials, and this could result in unrecoverable data loss.
Q: What are the CloudHSM Command Line Interface (CLI) Tools?
The CloudHSM CLI tools simplify and centralize CloudHSM administration. They make it easier for you, acting as the HSM Security Officer, to configure and manage the HSM. The tools also work in conjunction with and use the CloudHSM API to make it easier to configure your application to work with several HSMs in a high availability configuration.
Q: What can I do with the CloudHSM Command Line Interface Tools?
The tools make it easy to set up your application to use the HA and load balancing features of the SafeNet Luna client software. The tools also centralize configuration and other operations that previously required you to log in to each HSM and type Luna shell commands. For example, with a few CLI Tools commands you can create a CloudHSM instance, initialize the HSM, create a group of HSM partitions across multiple HSMs, generate the HSM client configuration, register HSM clients with the HSM, and distribute certificates between the client and HSM.
Q: How can I download and get started with the CloudHSM Command Line Interface Tools?
You’ll find instructions in the CloudHSM User Guide.
Q: Do the CloudHSM CLI Tools provide AWS with access to the contents of the HSM?
No. The CLI tools are Python scripts that connect directly to the HSM via SSH and execute Luna shell commands on the HSM on your behalf. When you run a command, you provide your HSM credentials to allow the script to connect to the HSM via SSH and configure it, but this does not provide your credentials to AWS.
For example, to initialize an HSM with the initialize-hsm command, you specify the HSM object identifier (ARN), the HSM security officer (SO) password, and several other parameters on the command line. The tool uses the ARN to look up the IP address of the HSM using the CloudHSM DescribeHSM API call, and then it connects to the HSM via SSH and issues Luna shell commands to initialize the HSM. The credentials you provide are used by the script, and are not shared with AWS. The CLI Tools source code is available under the Apache License v2 open source license, so you can review the code.
Q: Can the CloudHSM CLI Tools and API be used to configure several HSMs in a High Availability (HA) configuration?
Yes. The CloudHSM Command Line Interface Tools and API are designed to be used together to simplify the process of configuring and maintaining several HSMs in a high availability (HA) group.
The CloudHSM API uses an abstraction called a high availability partition group (HAPG) configuration object to simplify this configuration. You must use an HAPG configuration object when you are using CloudHSM for Amazon RDS, and you can optionally use it with your applications that use CloudHSM appliances in an HA configuration.
Q: Can I use HA Partition Groups across regions?
No. HA Partition Groups can only be configured for HSMs in the same region.
Q: On what operating systems can I use the CloudHSM Command Line Tools?
Amazon Linux. Please let us know if there are other operating systems on which you would like to use the tools.
Q: What are the network connectivity requirements for using the CloudHSM Command Line Interface Tools?
The Amazon Linux instance on which you use the CLI tools must have network reachability to your CloudHSM instances and to the CloudHSM API endpoint on the public Internet.
Are the CloudHSM Command Line Tools included in the AWS Command Line Interface?
Not at this time. The CloudHSM CLI Tools must be downloaded and installed separately.
Q: What can I do with the CloudHSM API & SDK?
You can create, modify, and delete CloudHSM instances, and get the status of your CloudHSM instances. What you can do with the API is limited to operations that AWS can perform with its HSM appliance administrator credentials. You control the security officer credentials which provide access to the contents of the HSM, so the API cannot access the contents of the HSM that are restricted to the security officer. To learn more, please see the CloudHSM Developer Guide for information about the API, or the Tools for Amazon Web Services page for more information about the SDK.
Q: How is routine maintenance performed on HSM appliances?
AWS’ routine maintenance procedures for HSM appliances are designed to avoid simultaneous downtime in multiple AZs in the same region.
AWS monitors and maintains the HSM appliances, and may correct minor configuration issues related to availability of the appliance. Such operations should not interfere with your use of the HSM appliance. If a management operation must be performed which could disrupt service (for example, if a security patch must be installed or the device must be rebooted), then AWS will usually attempt to contact you in advance to notify you of the pending change. AWS will not perform routine maintenance on HSM appliances in multiple AZs within the same region within the same 24-hour period.
In unforeseen circumstances, it is possible that AWS might perform emergency maintenance without prior notice. AWS will try to avoid this situation, as well as situations where emergency maintenance is performed within the same 24-hour period on HSM appliances in multiple AZs in the same region.
AWS strongly recommends that you use two or more CloudHSM instances in separate Availability Zones, and configured for high availability.
Q: I lost my SSH key for a CloudHSM instance, how can I reset it?
Contact AWS Support.
Q: I am having a problem with CloudHSM. What do I do?
Contact AWS Support.