AWS CloudHSM FAQs
Q: What is AWS CloudHSM?
The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.
Q: What is a Hardware Security Module (HSM)?
A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the hardware.
Q: What can I do with CloudHSM?
You can use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing.
Q: How does CloudHSM work?
When you use the AWS CloudHSM service you create a CloudHSM Cluster. Clusters can contain multiple HSM instances, spread across multiple Availability Zones in a region. HSM instances in a cluster are automatically synchronized and load-balanced. You receive dedicated, single-tenant access to each HSM instance in your cluster. Each HSM instance appears as a network resource in your Virtual Private Cloud (VPC). Adding and removing HSMs from your Cluster is a single call to the AWS CloudHSM API (or on the command line using the AWS CLI). After creating and initializing a CloudHSM Cluster, you can configure a client on your EC2 instance that allows your applications to use the cluster over a secure, authenticated network connection.
Amazon administrators monitor the health of your HSMs, but do not have any access to configure, manage, or use them. Your applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM. The client software maintains a secure channel to all of the HSMs in your cluster and sends requests on this channel, and the HSM performs the operations and returns the results over the secure channel. The client then returns the result to the application through the cryptographic API.
Q: I don’t currently have a VPC. Can I still use AWS CloudHSM?
No. To protect and isolate your CloudHSM from other Amazon customers, CloudHSM must be provisioned inside a VPC. Creating a VPC is easy. Please see the VPC Getting Started Guide for more information.
Q: Does my application need to reside in the same VPC as the CloudHSM Cluster?
No, but the server or instance on which your application and the HSM client are running must have network (IP) reachability to all HSMs in the cluster. You can establish network connectivity from your application to the HSM in many ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect. Please see the VPC Peering Guide and VPC User Guide for more details.
Q: Does CloudHSM work with on-premises HSMs?
Yes. While CloudHSM does not interoperate directly with on-premises HSMs, it may be possible move or synchronize keys between them depending on the use case, the type of keys, and the type of on-premises HSM. Please open an AWS Technical Support case in your AWS Console for assistance with this.
Q: How can my application use CloudHSM?
We have integrated and tested CloudHSM with a number of third-party software solutions such as Oracle Database 11g and 12c and Web servers including Apache and Nginx for SSL offload. Please see the CloudHSM User Guide for more information.
If you are developing your own custom application, your application can use the standard APIs supported by CloudHSM, including PKCS#11 and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). Support for Microsoft CAPI/CNG is coming soon. Please refer to the CloudHSM User Guide for code samples and help with getting started.
Q: Can I use CloudHSM to store keys or encrypt data used by other AWS services?
Yes. You can do all encryption in your CloudHSM-integrated application. In this case, AWS services such as S3 or EBS would only see your data encrypted.
Q: Can other AWS services use CloudHSM to store and manage keys?
AWS services do not integrate with CloudHSM directly today. If you want to use the server-side cryptography offered by many AWS services (such as EBS, S3, or RDS), you should consider the AWS Key Management Service. Over time we may integrate CloudHSM with other AWS services. If this is of interest to you, please let us know.
Q: Can CloudHSM be used to perform personal identification number (PIN) block translation or other cryptographic operations used with debit payment transactions?
Currently CloudHSM provides general-purpose HSMs. Over time we may provide payment functions. If this is of interest to you, please let us know.
Q: How does AWS Key Management Service (KMS) compare to AWS CloudHSM?
AWS Key Management Service (KMS) is a multi-tenant, managed service that allows you to use and manage encryption keys. Both services offer a high level of security for your cryptographic keys. AWS CloudHSM provides a dedicated, FIPS 140-2 Level 3 HSM under your exclusive control, directly in your Amazon Virtual Private Cloud (VPC).
Q: When should I use AWS CloudHSM instead of AWS KMS?
You should consider using AWS CloudHSM if you require:
- Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
- FIPS 140-2 compliance.
- Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
- High-performance in-VPC cryptographic acceleration (bulk crypto).
Q: Will my Safenet-based HSMs be retired?
No. While we believe the feature set and cost of the new CloudHSM service offer a far more attractive alternative, we will maintain AWS CloudHSM Classic for existing customers. Resources will be available shortly to assist in migrating from CloudHSM Classic to the new service.
Q: How do I get started with CloudHSM?
You can provision a CloudHSM Cluster in the CloudHSM Console, or with a few API calls through the AWS SDK or API. To learn more, please see the CloudHSM User Guide for information about getting started, the CloudHSM Documentation for information about the CloudHSM API, or the Tools for Amazon Web Services page for more information about the SDK.
Q: How do I terminate CloudHSM service?
You can use the CloudHSM API or SDK to delete your HSMs and stop using the service. Please refer to the CloudHSM User Guide for further instructions.
相關推薦
AWS CloudHSM FAQs
Q: What is AWS CloudHSM? The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data
AWS CloudHSM Update – Cost Effective Hardware Key Management at Cloud Scale for Sensitive & Regulated Workloads
Our customers run an incredible variety of mission-critical workloads on AWS, many of which process and store sensitive data. As detailed in our O
AWS Snowball FAQs
Q: When should I consider using Snowball instead of the Internet? Snowball is a strong choice for data transfer if you need to mo
Understanding AWS CloudHSM Cluster Synchronization
AWS CloudHSM provides fully managed, single-tenant hardware security modules (HSMs) in the AWS cloud. A CloudHSM cluster contains either one or mu
AWS Config FAQs
Q: How will I be charged for AWS Config and AWS Config rules? With AWS Config, you are charged based on the number configuration i
AWS CloudFormation FAQs
Q: What are the elements of an AWS CloudFormation template? AWS CloudFormation templates are JSON or YAML-formatted text files t
AWS Greengrass FAQs
AWS Greengrass is software that lets you run local compute, messaging, data caching, sync, and ML inference capabilities on connected devices in
AWS Translate FAQs
Q: How can I use the service? The easiest way to get started with Amazon Translate is to use the console to translate some text.
AWS Systems Manager FAQs
Q: What is the difference between Secrets Manager and Parameter Store? AWS Secrets Manager is a service to manage the lifecycle for the secret
AWS OpsWorks for Chef Automate FAQs
Q: What is AWS OpsWorks for Chef Automate? AWS OpsWorks for Chef Automate provides a fully managed Chef server and suite of autom
AWS Storage Gateway FAQs
Q: What is file gateway? File Gateway is a configuration of the AWS Storage Gateway service that provides your applications a file inter
AWS Elastic Beanstalk FAQs
Q: What is a maintenance window? A maintenance window is a weekly two-hour-long time slot during which AWS Elastic Beanstalk will
AWS Snowball Edge FAQs
Q: How does Snowball Edge work? You start by requesting one or more Snowball Edge Compute Optimized or Snowball Edge Storage Optim
AWS Server Migration Service FAQs
問:部署 SMS 聯結器並開始遷移時,需要在 System Center 中獲得什麼許可權? SMS 聯結器使用 Windows 遠端管理協議 (WinRM) 與 SCVMM 伺服器進行安全通訊。聯結器需要一個已新增到 SCVMM 主機上的“遠端管理使用者”組
AWS IoT Core FAQs
Q: What is the Device Gateway? The Device Gateway forms the backbone of communication between connected devices and the cloud capabi
Aws Dynamodb數據導出到S3
com 結構 tables create amr 成功 mon nag htm 本節將描寫敘述怎樣從一個或多個DynamoDB的表導出數據到S3的bucket中。在運行導出之前你須要提前創建好S3的bucket。 註意 假設你還沒有使用過AWS Data Pipelin
Linux服務器通過aws命令行上傳文件至S3
aws linux s3 上傳文件目的Linux服務器通過AWS命令行上傳文件至S3配置打開你的AWS控制臺;連接你的Linux服務器,按照以下步驟操作;# 安裝pip yum -y install python-pip # 安裝awscli pip install awscli # 初始化配置 aw
AWS Intro - Static IP with ssh
work with ins not ati mic con instance use Notes: Please config static ip when launch instance. Because change dynamic public ip to st
Have You Tried Delphi on Amazon Linux? (就是AWS用的Linux)
enables custom customers servers nbsp ble exists compile targe The new Delphi Linux compiler enables customers to take new or existing Wi
aws ubuntu 開啟root
修改root密碼 tle http 13.10 per .net 登陸 沒有 ubunt Linux VPS沒有ROOT權限是很難受的事,並且密碼登陸也方便一些。我的AWS VPS的LINUX版本是UBUNTU 13.10,首先用AWS證書驗證的賬戶登錄, 1、修改ROOT