AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Multi-region support for CloudHSM

1

Can an application be architected so that it leverages CloudHSM clusters in multiple regions (at least 2)? Possibly by using the cross-region replication/cloning so data can be decrypted in both regions if needed. Assumption is that CloudHSM enveloping keys do not have a region affinity much like KMS CMKs.

주제
보안, 신원 및 규정 준수
태그
재해 복구/비즈니스 연속성AWS CloudHSMAWS 키 관리 서비스
언어
English
Bruno_M
질문됨 2년 전1286회 조회
4개 답변
2

If you were going to take the approach of cloning an HSM to another region for DR, via the cross region backup capabilities(https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster-from-backup.html), you'd also have to make sure that all keys stayed in sync across the two regions after the cluster is created from backup. You may want to review this documentation for syncing keys on clusters created from backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloned-clusters.html Doing this on a continuous basis may be some added overhead for you.

profile pictureAWS
전문가
Rob_H
답변함 2년 전
1

AWS CloudHSM keys are not region-specific, however the Clusters are. It is not currently possible using native features to "sync" a Cluster in Region 1 with a Cluster in Region 2. You can however, use the cross-region backup feature of AWS CloudHSM to copy your Cluster from one region to another to spin up. Any new keys created on the Cluster in one region will not "sync" to the Cluster in the second region however. So that portion would need to be scripted to copy another backup over, spin up a new HSM using that backup, and allow the Cluster to sync that way.

Another option, is to utilize the AWS Encryption SDK and the multi-keyring feature with AWS CloudHSMs (in two regions) being used separately to perform the crypto-operations. Additional links for resources can be found below.

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html https://github.com/awsdocs/aws-encryption-sdk-docs https://aws.amazon.com/blogs/security/how-to-clone-an-aws-cloudhsm-cluster-across-regions/ https://awsfeed.com/whats-new/security/cloudhsm-best-practices-to-maximize-performance-and-avoid-common-configuration-pitfalls

AWS
Tracy_P
답변함 2년 전
0

You can use cross-region VPC peering to access CloudHSM from another region.

This blog post is for a slightly different use-case, but it provides guidance on CloudHSM anti-patterns (like using PrivateLink as this will mask CLoudHSM IP addresses) and a diagram for VPC Peering with CloudHSM. https://aws.amazon.com/blogs/security/how-to-deploy-cloudhsm-securely-share-keys-with-saas-provider/#attachment_11228

For Disaster Recovery and Backups, CloudHSM supports cross-region backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/copy-backup-to-region.html

AWS
Katherine_K
답변함 2년 전
0

AWS CloudHSM is a regional service, you can't currently extend a cluster cross regions.

The only AWS key management service that currently supports Multi-Region Keys is KMS: https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/

KMS is also backed by HSMs: https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

AWS
Dario_G
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠