By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Multi-region support for CloudHSM

1

Can an application be architected so that it leverages CloudHSM clusters in multiple regions (at least 2)? Possibly by using the cross-region replication/cloning so data can be decrypted in both regions if needed. Assumption is that CloudHSM enveloping keys do not have a region affinity much like KMS CMKs.

Topics
Security, Identity, & Compliance
Tags
Disaster Recovery/Business ContinuityAWS CloudHSMAWS Key Management Service
Language
English
Bruno_M
asked 2 years ago1249 views
4 Answers
2

If you were going to take the approach of cloning an HSM to another region for DR, via the cross region backup capabilities(https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-cluster-from-backup.html), you'd also have to make sure that all keys stayed in sync across the two regions after the cluster is created from backup. You may want to review this documentation for syncing keys on clusters created from backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloned-clusters.html Doing this on a continuous basis may be some added overhead for you.

profile pictureAWS
EXPERT
Rob_H
answered 2 years ago
1

AWS CloudHSM keys are not region-specific, however the Clusters are. It is not currently possible using native features to "sync" a Cluster in Region 1 with a Cluster in Region 2. You can however, use the cross-region backup feature of AWS CloudHSM to copy your Cluster from one region to another to spin up. Any new keys created on the Cluster in one region will not "sync" to the Cluster in the second region however. So that portion would need to be scripted to copy another backup over, spin up a new HSM using that backup, and allow the Cluster to sync that way.

Another option, is to utilize the AWS Encryption SDK and the multi-keyring feature with AWS CloudHSMs (in two regions) being used separately to perform the crypto-operations. Additional links for resources can be found below.

https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/choose-keyring.html https://github.com/awsdocs/aws-encryption-sdk-docs https://aws.amazon.com/blogs/security/how-to-clone-an-aws-cloudhsm-cluster-across-regions/ https://awsfeed.com/whats-new/security/cloudhsm-best-practices-to-maximize-performance-and-avoid-common-configuration-pitfalls

AWS
Tracy_P
answered 2 years ago
0

You can use cross-region VPC peering to access CloudHSM from another region.

This blog post is for a slightly different use-case, but it provides guidance on CloudHSM anti-patterns (like using PrivateLink as this will mask CLoudHSM IP addresses) and a diagram for VPC Peering with CloudHSM. https://aws.amazon.com/blogs/security/how-to-deploy-cloudhsm-securely-share-keys-with-saas-provider/#attachment_11228

For Disaster Recovery and Backups, CloudHSM supports cross-region backups: https://docs.aws.amazon.com/cloudhsm/latest/userguide/copy-backup-to-region.html

AWS
Katherine_K
answered 2 years ago
0

AWS CloudHSM is a regional service, you can't currently extend a cluster cross regions.

The only AWS key management service that currently supports Multi-Region Keys is KMS: https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/

KMS is also backed by HSMs: https://d1.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf

AWS
Dario_G
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content