How can I share CloudHSM clusters with other AWS accounts?
Last updated: 2020-12-22
My organization has multiple AWS accounts. How can I share my AWS CloudHSM clusters with these AWS accounts?
You can use AWS Resource Access Manager to share subnets for the Amazon Virtual Private Cloud (Amazon VPC) containing your CloudHSM with other AWS accounts.
Use AWS RAM to access CloudHSM with another AWS account in AWS Organizations. In the following example, Account 1 contains the CloudHSM cluster, and Account 2 contains the CloudHSM client instance.
Use AWS RAM to enable sharing
- With your Organizations management account, open the AWS RAM console in the same Region as your CloudHSM, and choose Settings.
- Select the Enable sharing within your AWS Organization check box.
- With your Organizations management account, open the AWS Organization Console.
- Choose Settings, and note the Organization ID.
Create a resource share with Account 1 for with other accounts
- Open the AWS RAM console with Account 1 in the same Region as your CloudHSM.
- In the navigation pane, in Shared by me, choose Resource shares.
- Choose Create resource share.
- In Name, enter a name for the resource share.
- In Resources, choose the Amazon VPC subnet ID for your CloudHSM.
- In Principals, uncheck select Allow external accounts.
- In the Add AWS account number search pane, enter the Organization ID, choose Add, and then choose Create resource share.
Note: You can also share Organizational Units (OUs) and AWS accounts.
Configure the security group to allow the CloudHSM client to connect to the CloudHSM cluster
- Open the CloudHSM console with Account 1 in the same Region as your CloudHSM cluster.
- In the navigation pane, choose Clusters.
- In Cluster ID, choose the CloudHSM cluster that you want to share.
- In Security group, choose the security group.
- Choose the Inbound tab, and then choose Edit.
- Choose Add Rule.
- In Port Range, enter 2223-2225.
- In Source, enter the private IP address of your client instance, and then choose Save.
Note: To get the client instance private IP address, see view the IPv4 addresses using the EC2 console.
Create client instances for the subnets shared with Account 2
- Open the Amazon EC2 console with Account 2, choose Launch Instance, and then select an Amazon Machine Image (AMI).
- Choose Next: Configure Instance Details.
- In Network, choose the Amazon VPC that's shared with Account 2.
- In Subnet, choose the subnet that's shared with Account 2.
- In Auto-assign Public IP, choose Enable, and then choose Next: Add Storage.
- Choose Next: Add Tags, and then choose Next: Configure Security Group.
- In Assign a security group, choose either Create a new security group or Select an existing security group (depending on your instance type).
- Choose Review and Launch, and then choose Launch.
- Choose an existing key pair or create a new one (depending on your instance type), and then select the agreement check box.
- Choose Launch Instances.