CloudHSM Flashcards
CloudHSM
What is the major security limitation of KMS?
Shared hardware. HSM modules aren’t single-tenant
CloudHSM
What is CloudHSM compared to KMS?
important
True single-tenant HSMs, managed by AWS
CloudHSM
Major warning about CloudHSM use?
AWS has no access to the device. Lose access == all keys lost
CloudHSM
What is the FIPS standard for CloudHSM?
important
FIPS 140-2 level 3
need to know whole thing incl “L3” at end
CloudHSM
How do you access a CloudHSM device?
important
PKCS#11, Java Crypto Extensions (JCE), Microsoft CryptoNG library
CloudHSM
Why not just use AWS web service APIs?
CloudHSM not integrated with AWS, it’s an industry standard hardware device
CloudHSM
What other system uses HSMs too?
KMS
CloudHSM
What overlap is there between CloudHSM and KMS?
Normal KMS is shared tenant HSM. Custom Key Store feature of KMS uses CloudHSM for single-tenant.
CloudHSM
Is a CloudHSM device HA?
Nope, physical device, so lives in a single AZ
CloudHSM
Is CloudHSM product HA?
Yes(-ish), as long as your Cluster has more than 1 device
CloudHSM
How do you provision CloudHSM?
Create a Cluster, add 1+ devices to it
CloudHSM
How do you provision a CloudHSM device into a VPC?
Don’t. It’s the RDS model: devices live in Service team’s VPC, you get one ENI per device
CloudHSM
If you have two CloudHSMs, and HSMs don’t ever let keys out…
HSMs in a Cluster sync their keys and config
CloudHSM
Once you have two ENIs for your 2-node CloudHSM cluster, now what?
Run the CloudHSM agent on every EC2 node
CloudHSM
What AWS services does CloudHSM integrate with?
important
Essentially none