- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
If you were going to take the approach of cloning an HSM to another region for DR, via the cross region backup capabilities(https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster-from-backup.html), you'd also have to make sure that all keys stayed in sync across the two regions after the cluster is created from backup. You may want to review this documentation for syncing keys on clusters created from backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloned-clusters.html Doing this on a continuous basis may be some added overhead for you.
AWS CloudHSM keys are not region-specific, however the Clusters are. It is not currently possible using native features to "sync" a Cluster in Region 1 with a Cluster in Region 2. You can however, use the cross-region backup feature of AWS CloudHSM to copy your Cluster from one region to another to spin up. Any new keys created on the Cluster in one region will not "sync" to the Cluster in the second region however. So that portion would need to be scripted to copy another backup over, spin up a new HSM using that backup, and allow the Cluster to sync that way.
Another option, is to utilize the AWS Encryption SDK and the multi-keyring feature with AWS CloudHSMs (in two regions) being used separately to perform the crypto-operations. Additional links for resources can be found below.
https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html https://github.com/awsdocs/aws-encryption-sdk-docs https://aws.amazon.com/blogs/security/how-to-clone-an-aws-cloudhsm-cluster-across-regions/ https://awsfeed.com/whats-new/security/cloudhsm-best-practices-to-maximize-performance-and-avoid-common-configuration-pitfalls
You can use cross-region VPC peering to access CloudHSM from another region.
This blog post is for a slightly different use-case, but it provides guidance on CloudHSM anti-patterns (like using PrivateLink as this will mask CLoudHSM IP addresses) and a diagram for VPC Peering with CloudHSM. https://aws.amazon.com/blogs/security/how-to-deploy-cloudhsm-securely-share-keys-with-saas-provider/#attachment_11228
For Disaster Recovery and Backups, CloudHSM supports cross-region backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/copy-backup-to-region.html
AWS CloudHSM is a regional service, you can't currently extend a cluster cross regions.
The only AWS key management service that currently supports Multi-Region Keys is KMS: https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/
KMS is also backed by HSMs: https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 6 mesi fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa