How do I share CloudHSM clusters with other AWS accounts?

3 minute read
0

My organization has multiple AWS accounts. I want to share my AWS CloudHSM clusters with these accounts.

Resolution

To access CloudHSM with another account in AWS Organizations, use AWS Resource Access Manager (AWS RAM). In the following example, Account 1 contains the CloudHSM cluster, and Account 2 contains the CloudHSM client instance.

Activate sharing

Complete the following steps:

  1. With your Organizations management account, open the AWS RAM console in the same AWS Region as your CloudHSM, and choose Settings.
  2. Select Enable sharing within your AWS Organization.
  3. With your Organizations management account, open the AWS Organization console.
  4. Choose Settings, and note the Organization ID.

Create a resource share with Account 1 and other accounts

Complete the following steps:

  1. Open the AWS RAM console with Account 1 in the same Region as your CloudHSM.
  2. In the navigation pane, under Shared by me, choose Resource shares.
  3. Choose Create resource share.
  4. For Name, enter a name for the resource share.
  5. For Resources, select the Amazon Virtual Private Cloud (Amazon VPC) subnet ID for your CloudHSM.
  6. For Principals, select Allow external accounts.
  7. In the Add AWS account number search pane, enter the Organization ID. Choose Add, and then choose Create resource share.

Note: You can also share Organizational Units (OUs) and accounts.

Configure the security group to allow the CloudHSM client to connect to the CloudHSM cluster

Complete the following steps:

  1. Open the CloudHSM console with Account 1 in the same Region as your CloudHSM cluster.
  2. In the navigation pane, choose Clusters.
  3. For Cluster ID, select your CloudHSM cluster.
  4. For Security group, select your security group.
  5. Choose the Inbound tab, and then choose Edit.
  6. Choose Add Rule.
  7. For Port Range, enter 2223-2225.
  8. For Source, enter the private IP address of your client instance, and then choose Save.

Note: To get the client instance private IP address, see View the IPv4 addresses.

Create client instances for the subnets shared with Account 2

Complete the following steps:

  1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console with Account 2, choose Launch Instance, and then select an Amazon Machine Image (AMI).
  2. Choose Next: Configure Instance Details.
  3. For Network, select the Amazon VPC that's shared with Account 2.
  4. For Subnet, select the subnet that's shared with Account 2.
  5. For Auto-assign Public IP, choose Enable, and then choose Next: Add Storage.
  6. Choose Next: Add Tags, and then choose Next: Configure Security Group.
  7. In Assign a security group, choose either Create a new security group or Select an existing security group based on your instance type.
  8. Choose Review and Launch, and then choose Launch.
  9. Choose an existing key pair or create a new one based on your instance type. Then, select the agreement check box.
  10. Choose Launch Instances.

Related information

Sharing your AWS resources

Control traffic to your AWS resources using security groups

Share your VPC subnets with other accounts

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago