Inquire about using CloudHSM Dynamic Engine on Lambda



I would like to proceed with token signing using CloudHSM.

I want to run a script with OpenSSL command by uploading CloudHSM Dynamic Engine to Lambda Python execution environment.

It works well on the EC2 server where CloudHSM client is installed.

I just have to install "cloudhsm-dyn-5.10.0-1.el7.x86_64.rpm" file and run the script on the server.

what should I do in lambda?

Thank you.

asked 6 months ago278 views
2 Answers


I understand that you are curious about how to use AWS Lambda as CloudHSM's client.

To run CloudHSM workload on AWS Lambda, you can follow the steps below.

1. Prequisites

Please make sure that you configured right components:

  • VPC
  • Subnets
  • NAT Gateway
  • EC2 Instance (for CloudHSM client instance)
  • Security group (EC2 Instance and CloudHSM cluster)
  • CloudHSM Cluster, HSM
    • customerCA.key
    • customerCA.crt
    • <cluster_ID>_CustomerHsmCertificate.crt
  • CloudHSM CLI, CloudHSM Client, CloudHSM new user (Crypto-user)

You can also refer to the document below:

[+] Getting started with AWS CloudHSM (AWS Documentation)

[+] Install and configure the AWS CloudHSM client(Linux) (AWS Documentation)(English)

2. Create the Lambda layer A Lambda layer is a .zip file archive that contains supplementary code or data. Layers usually contain library dependencies, a custom runtime, or configuration files. If you want to run OpenSSL command with CloudHSM Dynamic Engine, you need to package Dynamic Engine and any other dependencies into a Lambda layer.

You can also use Lambda deployment packages to contain Lambda function and dependencies, which helps deploy function code to AWS Lambda

[+] Working with Lambda layers (AWS Documentation)

[+] OpenSSL Dynamic Engine (AWS Documentation)

[+] Lambda deployment packages (AWS Documentation)

3. Create a secret to store CU

With Secrets Manager, you are going to create a secret to store your CU(CloudHSM new user that is created in 1. Prequisites) credentials.

$ aws secretsmanager create-secret --name CloudHSM_CU --secret-string "{ \"HSM_USER\": \"<HSM_USER>\", \"HSM_PASSWORD\": \"<HSM_PASSWORD>\"}"

4. Create the Lambda function

Before creating the Lambda function, make sure that your Lambda function's execution role contains those permissions:

  • Writing to CloudWatch logs
  • Retrieving the CU secret value from Secrets Manager
  • Describing CloudHSM clusters
  • AWSLambdaVPCAccessExecutionRole (AWS Managed Policy)

Also, create the security group for the Lambda function - ensure that the oubound rule is open to the 443 port.

Then you can create the Lambda function using the Lambda layer.

You can also refer to the Security Blog post, which describes how to build AWS CloudHSM workloads on AWS Lambda.

[+] How to run AWS CloudHSM workloads on AWS Lambda (AWS Security Blog)

I hope this answer helps you. If I missed anything or you have any questions, feel free to comment.

profile picture
answered 6 months ago
Accepted Answer


Pre-requisites: Make sure you have properly configured your CloudHSM cluster and that it's available within the same VPC as your Lambda function. Your Lambda function needs the necessary IAM permissions to communicate with CloudHSM.

Lambda Layers: AWS Lambda supports layers, which are a distribution mechanism for libraries, custom runtimes, and other function dependencies. To run the OpenSSL command with the CloudHSM Dynamic Engine, you'd have to package the CloudHSM client and any other required dependencies into a Lambda layer.

Creating the Layer: Build a custom environment that matches the AWS Lambda runtime environment. Amazon Linux is often used for this. Within that environment, install the CloudHSM client as you would on an EC2 instance. Package the necessary binaries and libraries (e.g., /opt/cloudhsm/*) into a zip file. Create a new Lambda layer and upload the zip file. Lambda Function Configuration:

Assign the created layer to your Lambda function. Ensure that your Lambda function's execution role has permissions to connect and perform operations on the CloudHSM cluster. Your function's VPC settings should be set to the VPC where your CloudHSM cluster is located. Use environment variables or the AWS Secrets Manager to securely store and retrieve sensitive information required by your script, such as the CloudHSM's password.

Regards, Andrii

profile picture
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions