AWS CloudHSM | Provisioning and operations Flashcards
Is there a Free Tier for the CloudHSM service?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
No, there is no free tier available for CloudHSM.
Are there any prerequisites for signing up for CloudHSM?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
Yes. In order to start using CloudHSM there are a few prerequisites, including a Virtual Private Cloud (VPC) in the region where you want CloudHSM service. Refer to the CloudHSM User Guide for more details.
Do I need to manage the firmware on my HSM?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
No. AWS manages the firmware on the hardware. Firmware is maintained by a third-party, and every firmware must be evaluated by NIST for FIPS 140-2 Level 3 compliance. Only firmware that has been cryptographically signed by the FIPS key (which AWS does not have access to) can be installed.
How many HSMs should I have in my CloudHSM Cluster?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
AWS strongly recommends that you use at least two HSMs in two different Availability Zones for any production workload. For mission-critical workloads, we recommend at least three HSMs in at least two separate AZs. The CloudHSM client will automatically handle any HSM failures and load balance across two or more HSMs transparently to your application.
Who is responsible for key durability?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
AWS takes automatic encrypted backups of your CloudHSM Cluster on a daily basis, and additional backups when cluster lifecycle events occur (such as adding or removing an HSM).For the 24-hour period between backups, you are solely responsible for the durability of key material created or imported to your cluster. We strongly recommend ensuring that any keys created are synchronized to at least two HSMs in two different Availability Zones to ensure the durability of your keys. See the CloudHSM User Guide for more detail on verifying key synchronization.
How do I set up a high availability (HA) configuration?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
High availability is provided automatically when you have at least two HSMs in your CloudHSM Cluster. No additional configuration is required. In the event an HSM in your cluster fails, it will be replaced automatically, and all clients will be updated to reflect the new configuration without interrupting any processing. Additional HSMs can be added to the cluster via the AWS API or SDK, increasing availability without interrupting your application.
How many HSMs can be connected in a CloudHSM Cluster?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
A single CloudHSM Cluster can contain up to 32 HSMs.
Can I back up the contents of a CloudHSM?
Provisioning and operations
AWS CloudHSM | Security, Identity & Compliance
Your CloudHSM Cluster is backed up on a daily basis by AWS. Keys can also be exported (“wrapped”) out of your cluster and stored on-premises as long as they were not generated as “non-exportable”. No other backup options are available at this time, though we expect to provide a more comprehensive on-premises backup capability soon.