SlideShare a Scribd company logo
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Achieving security goals with AWS
CloudHSM
Avni Rambhia
Senior Product Manager
AWS Cryptography
Amazon Web Services
S D D 3 3 3
Stephen Quigg
Principal Security SA
AWS Financial Services
Amazon Web Services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
AWS cryptography services: Choosing the right tool for the job
AWS CloudHSM fundamentals
Designing for resilience with cross-Region redundancy
Optimizing performance and cost
Recent launches for CloudHSM and what’s on the roadmap
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
FND320: Root CA Hierarchies for AWS Certificate Manager
Private CA
4:15-5:15 Wednesday (205B)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cryptography: What, how, and why
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS cryptography services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS KMS
Your applications
AWS
services
Authentication
Authorization
Logging
KMS custom key
store
Your AWS
CloudHSM cluster
Native KMS
Shared HSM
Your on-
premises HSM
(BYOK)
Imported to
AWS KMS
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
The AWS Encryption SDK
• Framework and data format for client-side encryption
• Library that gives you authenticated envelope encryption
• Backed by AWS KMS or external key sources
• Implementations available for Java, C, and Python
• Specification is available if you want to implement in a different
language
• Supports data key caching
• Open source under Apache 2.0 license
• Built on language-specific crypto primitives
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA
Organization
resources
On-premises servers
AWS resources
Devices
Amazon EC2
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Life-cycle management for secrets such as database credentials
and API keys
Rotate secrets safely Pay as you goManage access with
fine-grained policies
Secure and audit
secrets centrally
Secrets Manager
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Aspects of control in CloudHSM
Control
Application
development
Algorithms and
key lengths
User management
Specific
compliance
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Control implies responsibility
Control
Application
development
Algorithms
and key
lengths
User
management
Specific
compliance
Responsibility
Application
integration
HSM
maintenance
Backups
ProvisioningHigh availability
User
management
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudHSM simplifiesmanagement tasks
Responsibility
Application
integration
HSM
maintenance
Backups
Provisioning
High
availability
User
management
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Concepts in CloudHSM
• Cluster
• HSM
• Backup
• Higher throughput: Expand cluster
• More active keys: New cluster
CloudHSM HSM
CloudHSM HSM
Synchronized
CloudHSM cluster
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Concepts in CloudHSM, continued
• Cloned cluster
• Same trust hierarchy and masking key
• Can synchronize keys within FIPS envelope
Automatically
synchronized
CloudHSM cluster
Create cluster
from backup
Cloned CloudHSM
cluster
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Two ways to use CloudHSM
• HSM-based master key unlocks data keys (e.g.,
database TDE)
• Durability is primary concern
Direct transactions
• HSM is in path of every transaction (e.g.,
OpenSSL)
• Availability and latency are critical
Master key
stored in
HSM
Data keys are encrypted
with master key
Envelope encryption
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Meet the characters
Service API: Manage your cluster
• Console
• Command line
• Shows in AWS CloudTrail
CLI tools: Use your HSMs
• CloudHSM_mgmt_util – HSM
administration
• Key_mgmt_util – Convenient for
infrequent key operations
SDKs: Application development
• PKCS#11
• OpenSSL
• JCE
Client Daemon: Talks to cluster
• Used by key_mgmt_util and SDKs
to interact with cluster
• Handles load balancing
• Is aware of cluster configuration
changes
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudHSM_mgmt_util: Closer look
• Global mode: Default
• Talks sequentially to all HSMs in the cluster
• Doesn’t use client daemon: “Configure –m” before using the utility to update cluster settings
• Use this mode for routine operations
• Server mode: Use wisely
• Bypass cluster synchronization
• Talk to one HSM at a time
• Great power, great responsibility
• Use this mode as needed (e.g. to fix mismatched users or passwords or to manually synchronize keys
across cloned clusters)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region redundant workloads
Cloning allows secure cross-Region key replication
Step 1:
Copy backup to
new region
Step 2:
Create cluster
from backup
Ongoing:
Synchronize new
keys
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region key transfer using wrapping
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
AESWrap newKey
with wrappingKey
AESUnwrap newKey
with wrappingKey
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cross-region key transfer using maskedObjects
Region 1
CloudHSM
cluster
Create cluster
from backup
Region 2
CloudHSM
cluster
extractMaskedObject
insertMaskedObject
key_mgmt_util
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Syncing with Key_mgmt_util
[ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s
user1 -p pwd findKey
Command: findKey
Total number of keys present: 3
Number of matching keys from start index 0::2
Handles of matching keys:
6, 262151, 8
[ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s
user1 -p pwd extractMaskedObject -o 262151 -out masked_object.file
Command: extractMaskedObject -o 262151 -out masked_object.file
Object was masked and written to file "masked_object.file“
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Syncing with Key_mgmt_util
[ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s
user1 -p pwd insertMaskedObject -f masked_object.file
Command: insertMaskedObject -f masked_object.file
Cfm3InsertMaskedObject returned: 0x00 : HSM Return: SUCCESS
New Key Handle: 262153
Node id 1 and err state 0x00000000 : HSM Return: SUCCESS
[ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s
user1 -p pwd findKey
Command: findKey
Total number of keys present: 4
Number of matching keys from start index 0::3
Handles of matching keys:
6, 262151, 8, 262153
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Masking vs. wrapping
Wrapping
Required for use within applications
Pros
• Can be automated in C/Java
• Can be used in any cluster where
wrapping key is loaded
Cons
• Does not work for non-
exportable keys
• Key attributes in new HSM
depend on unwrapping code
Masking
Required for non-exportable keys
Pros
• Key stays in FIPS boundary
• Constrained to cloned cluster
• Key retains attributes and policies
Cons
• Only usable via command line tools
(today)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding HSM performance
Transaction = network round-trip + operation + (sometimes) synchronization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding HSM performance
Transaction = network round-trip + operation + (sometimes) synchronization
Multi-threading
increases throughput
for given latency
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding HSM performance
Transaction = network round-trip + operation + (sometimes) synchronization
• Cryptographic operations on a key
handle give you maximum speed
• Attributes and labels require look up,
adding latency
• Caching the handle for frequently
used keys provides better speed
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Understanding HSM performance
Transaction = network round-trip + operation + (sometimes) synchronization
Two types of keys in the HSM:
• Token keys are persistent, synchronized
to all HSMs in the cluster
• Session keys are created on one HSM
and erased after the session
• You can create and unwrap keys as
session or token keys
• Session keys offer lower latency but no
durability
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cluster performance: When to add HSMs
During design:
• For reliability: 2+ HSMs per production cluster, spread across AZs
• For speed: As needed after threading and code optimization
At runtime:
• When latency of calls increases
Amazon CloudWatch metrics:
• HSMs with unhealthy metrics are autoreplaced by CloudHSM
• For missing metrics, consider proactively adding an HSM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Best practices for cost management
For development and test workloads:
• Pause billing: Delete HSM instances at the end of the workday
• Resume work: Create HSM instance to pick up where you left off
For production workloads:
• Leverage elasticity: Scale cluster up/down as workload varies
• Maximize utilization: Share lightly used cluster across accounts
• Optimize storage: Wrap data keys and store externally when not in use
Idle workloads: Draw down cluster to 0 HSMs; even delete cluster
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Last year, we delivered:
• Client support for Microsoft Windows
• ADCA, IIS and Signtool integations
• JCE samples on GitHub:
https://github.com/aws-samples/aws-cloudhsm-jce-examples/
• Basic usage, optimizing performance, and handling HSM disconnects gracefully
• More code coming soon, contributions welcome!
• PKCS 2.40 compliance
• Client 1.1.1 onward
• Backup management
• Copy and Delete
• HSM Audit logs in CloudWatch
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
HSM audit logs in CloudWatch
User and key management is logged today
• Create/delete user and change password
• Login and logout
• Create/delete key and wrap/unwrap key
• Share key
Cryptographic operations are not logged today
• Encrypt, decrypt, sign, verify
Each HSM emits its own log stream
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudHSM as custom key store for AWS KMS
Combines CloudHSM’s control with AWS KMS integrations
• Use CloudHSM-backed keys in most AWS services via AWS KMS
• One data protection pattern, multiple compliance levels
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
CloudHSM cluster
Customers’
applications
via AWS SDKs
AWS KMS standard
key store
AWS KMS
KMS endpoint
AWS KMS custom key store
KMS HSM fleet
50+ AWS
services
AWS Cloud
Custom key store
“connector”
Custom
clients using
PKCS#11, JCE, CNG
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
KMS
KMS BYOK
(ImportKey)
KMS CustomKeyStore
(CloudHSM)
Where keys are generated HSMs controlled by AWS HSMs controlled by you HSMs controlled by you
Where keys are stored HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you
Where keys are used HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you
How to control key use JSON key policies you
define
JSON key policies you
define
JSON key policies you
define
Responsibility for
performance/scale
AWS AWS You
Integration with AWS
services?
Yes Yes Yes
Pricing model $1/key + usage $1/key + usage $1/key + usage;
Hourly charge for each HSM
Comparison of AWS KMS master key providers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Avni Rambhia
arambhia@amazon.com
Stephen Quigg
squigg@amazon.com

More Related Content

What's hot

AWS Introduction and History
AWS Introduction and HistoryAWS Introduction and History
AWS Introduction and History
Nagesh Ramamoorthy
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
Amazon Web Services
 
AWS Storage services
AWS Storage servicesAWS Storage services
AWS Storage services
Nagesh Ramamoorthy
 
Getting Started with Amazon WorkSpaces
 Getting Started with Amazon WorkSpaces Getting Started with Amazon WorkSpaces
Getting Started with Amazon WorkSpaces
Amazon Web Services
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
Amazon Web Services
 
Securing Your Data in AWS
Securing Your Data in AWSSecuring Your Data in AWS
Securing Your Data in AWS
Amazon Web Services
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
Amazon Web Services
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
Amazon Web Services
 
Account Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAccount Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWS
Amazon Web Services
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Amazon Web Services
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
PolarSeven Pty Ltd
 
Storage and Compute
Storage and ComputeStorage and Compute
Storage and Compute
Amazon Web Services
 
Aws
AwsAws
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
Amazon Web Services
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
Amazon Web Services
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
Amazon Web Services
 
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
Amazon Web Services
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
Amazon Web Services
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
Amazon Web Services
 

What's hot (20)

AWS Introduction and History
AWS Introduction and HistoryAWS Introduction and History
AWS Introduction and History
 
Security & Compliance in AWS
Security & Compliance in AWSSecurity & Compliance in AWS
Security & Compliance in AWS
 
AWS Storage services
AWS Storage servicesAWS Storage services
AWS Storage services
 
Getting Started with Amazon WorkSpaces
 Getting Started with Amazon WorkSpaces Getting Started with Amazon WorkSpaces
Getting Started with Amazon WorkSpaces
 
AWS Account Best Practices
AWS Account Best PracticesAWS Account Best Practices
AWS Account Best Practices
 
Securing Your Data in AWS
Securing Your Data in AWSSecuring Your Data in AWS
Securing Your Data in AWS
 
Introduction to IAM + Best Practices
Introduction to IAM + Best PracticesIntroduction to IAM + Best Practices
Introduction to IAM + Best Practices
 
Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM Protecting Your Data With AWS KMS and AWS CloudHSM
Protecting Your Data With AWS KMS and AWS CloudHSM
 
Account Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWSAccount Separation and Mandatory Access Control on AWS
Account Separation and Mandatory Access Control on AWS
 
Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
Best Practices for Managing Security Operations in AWS - March 2017 AWS Onlin...
 
Shared Security in AWS
Shared Security in AWSShared Security in AWS
Shared Security in AWS
 
Storage and Compute
Storage and ComputeStorage and Compute
Storage and Compute
 
Aws
AwsAws
Aws
 
AWS Security & Compliance
AWS Security & ComplianceAWS Security & Compliance
AWS Security & Compliance
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Security Day What's (nearly) New
Security Day What's (nearly) NewSecurity Day What's (nearly) New
Security Day What's (nearly) New
 
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
Understanding AWS Identity and Access Management | AWS Public Sector Summit 2016
 
Introduction to AWS Security
Introduction to AWS SecurityIntroduction to AWS Security
Introduction to AWS Security
 
Protecting Your Data in AWS
Protecting Your Data in AWSProtecting Your Data in AWS
Protecting Your Data in AWS
 

Similar to AWS

Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
Amazon Web Services
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統
Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
Amazon Web Services
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Amazon Web Services
 
Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019
Devoteam Revolve
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Amazon Web Services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services LATAM
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
Runcy Oommen
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
Amazon Web Services
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
Amazon Web Services
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
VijayaNirmalaGopal
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
Amazon Web Services
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
Amazon Web Services
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
Amazon Web Services
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfAmazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS Germany
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
Amazon Web Services
 

Similar to AWS (20)

Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
Deep Dive on AWS CloudHSM (SEC358-R1) - AWS re:Invent 2018
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019 Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
Data encryption concepts in AWS - FND302 - AWS re:Inforce 2019
 
Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019Meetup Sécurité - AWS - Recap Reinforce 2019
Meetup Sécurité - AWS - Recap Reinforce 2019
 
SecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDaySecuringYourCustomersDataFromDayOne_SFStartupDay
SecuringYourCustomersDataFromDayOne_SFStartupDay
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019  Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
Security hardening of core AWS services
Security hardening of core AWS servicesSecurity hardening of core AWS services
Security hardening of core AWS services
 
Securing Your Customers Data From Day One
Securing Your Customers Data From Day OneSecuring Your Customers Data From Day One
Securing Your Customers Data From Day One
 
How AI is disrupting the world
How AI is disrupting the world How AI is disrupting the world
How AI is disrupting the world
 
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx2019 community day__chennai_aws_secrets_manager_v0.1.pptx
2019 community day__chennai_aws_secrets_manager_v0.1.pptx
 
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
How LogMeIn Automates Governance and Empowers Developers at Scale (SEC302) - ...
 
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOneAWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
AWS18_StartupDayToronto_SecuringYourCustomersDataFromDayOne
 
Using AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure WorkloadsUsing AWS Key Management Service for Secure Workloads
Using AWS Key Management Service for Secure Workloads
 
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdfSecuring Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
Securing Customer Data from Day 1 - AWS Startup Day Boston 2018.pdf
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day OneAWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
AWS STARTUP DAY 2018 I Securing Your Customer Data From Day One
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 

Recently uploaded

Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
enxupq
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
Oppotus
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
v3tuleee
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
ewymefz
 
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
ewymefz
 
一比一原版(NYU毕业证)纽约大学毕业证成绩单
一比一原版(NYU毕业证)纽约大学毕业证成绩单一比一原版(NYU毕业证)纽约大学毕业证成绩单
一比一原版(NYU毕业证)纽约大学毕业证成绩单
ewymefz
 
Empowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptxEmpowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptx
benishzehra469
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
NABLAS株式会社
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
Subhajit Sahu
 
standardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghhstandardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghh
ArpitMalhotra16
 
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
nscud
 
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
vcaxypu
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
ewymefz
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
balafet
 
SOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape ReportSOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape Report
SOCRadar
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
ewymefz
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
axoqas
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
pchutichetpong
 
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
ukgaet
 

Recently uploaded (20)

Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 
一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单一比一原版(QU毕业证)皇后大学毕业证成绩单
一比一原版(QU毕业证)皇后大学毕业证成绩单
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
 
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
一比一原版(UMich毕业证)密歇根大学|安娜堡分校毕业证成绩单
 
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
 
一比一原版(NYU毕业证)纽约大学毕业证成绩单
一比一原版(NYU毕业证)纽约大学毕业证成绩单一比一原版(NYU毕业证)纽约大学毕业证成绩单
一比一原版(NYU毕业证)纽约大学毕业证成绩单
 
Empowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptxEmpowering Data Analytics Ecosystem.pptx
Empowering Data Analytics Ecosystem.pptx
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
 
Adjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTESAdjusting primitives for graph : SHORT REPORT / NOTES
Adjusting primitives for graph : SHORT REPORT / NOTES
 
standardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghhstandardisation of garbhpala offhgfffghh
standardisation of garbhpala offhgfffghh
 
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
一比一原版(CBU毕业证)不列颠海角大学毕业证成绩单
 
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
一比一原版(ArtEZ毕业证)ArtEZ艺术学院毕业证成绩单
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
 
SOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape ReportSOCRadar Germany 2024 Threat Landscape Report
SOCRadar Germany 2024 Threat Landscape Report
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
 
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
一比一原版(UVic毕业证)维多利亚大学毕业证成绩单
 

AWS

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Achieving security goals with AWS CloudHSM Avni Rambhia Senior Product Manager AWS Cryptography Amazon Web Services S D D 3 3 3 Stephen Quigg Principal Security SA AWS Financial Services Amazon Web Services
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda AWS cryptography services: Choosing the right tool for the job AWS CloudHSM fundamentals Designing for resilience with cross-Region redundancy Optimizing performance and cost Recent launches for CloudHSM and what’s on the roadmap
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts FND320: Root CA Hierarchies for AWS Certificate Manager Private CA 4:15-5:15 Wednesday (205B)
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cryptography: What, how, and why
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS cryptography services
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS KMS Your applications AWS services Authentication Authorization Logging KMS custom key store Your AWS CloudHSM cluster Native KMS Shared HSM Your on- premises HSM (BYOK) Imported to AWS KMS
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. The AWS Encryption SDK • Framework and data format for client-side encryption • Library that gives you authenticated envelope encryption • Backed by AWS KMS or external key sources • Implementations available for Java, C, and Python • Specification is available if you want to implement in a different language • Supports data key caching • Open source under Apache 2.0 license • Built on language-specific crypto primitives
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. ACM Private CA Organization resources On-premises servers AWS resources Devices Amazon EC2
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Life-cycle management for secrets such as database credentials and API keys Rotate secrets safely Pay as you goManage access with fine-grained policies Secure and audit secrets centrally Secrets Manager
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Aspects of control in CloudHSM Control Application development Algorithms and key lengths User management Specific compliance
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Control implies responsibility Control Application development Algorithms and key lengths User management Specific compliance Responsibility Application integration HSM maintenance Backups ProvisioningHigh availability User management
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudHSM simplifiesmanagement tasks Responsibility Application integration HSM maintenance Backups Provisioning High availability User management
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Concepts in CloudHSM • Cluster • HSM • Backup • Higher throughput: Expand cluster • More active keys: New cluster CloudHSM HSM CloudHSM HSM Synchronized CloudHSM cluster
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Concepts in CloudHSM, continued • Cloned cluster • Same trust hierarchy and masking key • Can synchronize keys within FIPS envelope Automatically synchronized CloudHSM cluster Create cluster from backup Cloned CloudHSM cluster
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Two ways to use CloudHSM • HSM-based master key unlocks data keys (e.g., database TDE) • Durability is primary concern Direct transactions • HSM is in path of every transaction (e.g., OpenSSL) • Availability and latency are critical Master key stored in HSM Data keys are encrypted with master key Envelope encryption
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Meet the characters Service API: Manage your cluster • Console • Command line • Shows in AWS CloudTrail CLI tools: Use your HSMs • CloudHSM_mgmt_util – HSM administration • Key_mgmt_util – Convenient for infrequent key operations SDKs: Application development • PKCS#11 • OpenSSL • JCE Client Daemon: Talks to cluster • Used by key_mgmt_util and SDKs to interact with cluster • Handles load balancing • Is aware of cluster configuration changes
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudHSM_mgmt_util: Closer look • Global mode: Default • Talks sequentially to all HSMs in the cluster • Doesn’t use client daemon: “Configure –m” before using the utility to update cluster settings • Use this mode for routine operations • Server mode: Use wisely • Bypass cluster synchronization • Talk to one HSM at a time • Great power, great responsibility • Use this mode as needed (e.g. to fix mismatched users or passwords or to manually synchronize keys across cloned clusters)
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-region redundant workloads Cloning allows secure cross-Region key replication Step 1: Copy backup to new region Step 2: Create cluster from backup Ongoing: Synchronize new keys
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-region key transfer using wrapping Region 1 CloudHSM cluster Create cluster from backup Region 2 CloudHSM cluster AESWrap newKey with wrappingKey AESUnwrap newKey with wrappingKey
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cross-region key transfer using maskedObjects Region 1 CloudHSM cluster Create cluster from backup Region 2 CloudHSM cluster extractMaskedObject insertMaskedObject key_mgmt_util
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Syncing with Key_mgmt_util [ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s user1 -p pwd findKey Command: findKey Total number of keys present: 3 Number of matching keys from start index 0::2 Handles of matching keys: 6, 262151, 8 [ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s user1 -p pwd extractMaskedObject -o 262151 -out masked_object.file Command: extractMaskedObject -o 262151 -out masked_object.file Object was masked and written to file "masked_object.file“
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Syncing with Key_mgmt_util [ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s user1 -p pwd insertMaskedObject -f masked_object.file Command: insertMaskedObject -f masked_object.file Cfm3InsertMaskedObject returned: 0x00 : HSM Return: SUCCESS New Key Handle: 262153 Node id 1 and err state 0x00000000 : HSM Return: SUCCESS [ec2-user@ip-X-X-X-X ~]$ /opt/cloudhsm/bin/key_mgmt_util singlecmd loginHSM -u CU -s user1 -p pwd findKey Command: findKey Total number of keys present: 4 Number of matching keys from start index 0::3 Handles of matching keys: 6, 262151, 8, 262153
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Masking vs. wrapping Wrapping Required for use within applications Pros • Can be automated in C/Java • Can be used in any cluster where wrapping key is loaded Cons • Does not work for non- exportable keys • Key attributes in new HSM depend on unwrapping code Masking Required for non-exportable keys Pros • Key stays in FIPS boundary • Constrained to cloned cluster • Key retains attributes and policies Cons • Only usable via command line tools (today)
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding HSM performance Transaction = network round-trip + operation + (sometimes) synchronization
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding HSM performance Transaction = network round-trip + operation + (sometimes) synchronization Multi-threading increases throughput for given latency
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding HSM performance Transaction = network round-trip + operation + (sometimes) synchronization • Cryptographic operations on a key handle give you maximum speed • Attributes and labels require look up, adding latency • Caching the handle for frequently used keys provides better speed
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Understanding HSM performance Transaction = network round-trip + operation + (sometimes) synchronization Two types of keys in the HSM: • Token keys are persistent, synchronized to all HSMs in the cluster • Session keys are created on one HSM and erased after the session • You can create and unwrap keys as session or token keys • Session keys offer lower latency but no durability
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cluster performance: When to add HSMs During design: • For reliability: 2+ HSMs per production cluster, spread across AZs • For speed: As needed after threading and code optimization At runtime: • When latency of calls increases Amazon CloudWatch metrics: • HSMs with unhealthy metrics are autoreplaced by CloudHSM • For missing metrics, consider proactively adding an HSM
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Best practices for cost management For development and test workloads: • Pause billing: Delete HSM instances at the end of the workday • Resume work: Create HSM instance to pick up where you left off For production workloads: • Leverage elasticity: Scale cluster up/down as workload varies • Maximize utilization: Share lightly used cluster across accounts • Optimize storage: Wrap data keys and store externally when not in use Idle workloads: Draw down cluster to 0 HSMs; even delete cluster
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Last year, we delivered: • Client support for Microsoft Windows • ADCA, IIS and Signtool integations • JCE samples on GitHub: https://github.com/aws-samples/aws-cloudhsm-jce-examples/ • Basic usage, optimizing performance, and handling HSM disconnects gracefully • More code coming soon, contributions welcome! • PKCS 2.40 compliance • Client 1.1.1 onward • Backup management • Copy and Delete • HSM Audit logs in CloudWatch
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. HSM audit logs in CloudWatch User and key management is logged today • Create/delete user and change password • Login and logout • Create/delete key and wrap/unwrap key • Share key Cryptographic operations are not logged today • Encrypt, decrypt, sign, verify Each HSM emits its own log stream
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudHSM as custom key store for AWS KMS Combines CloudHSM’s control with AWS KMS integrations • Use CloudHSM-backed keys in most AWS services via AWS KMS • One data protection pattern, multiple compliance levels
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC CloudHSM cluster Customers’ applications via AWS SDKs AWS KMS standard key store AWS KMS KMS endpoint AWS KMS custom key store KMS HSM fleet 50+ AWS services AWS Cloud Custom key store “connector” Custom clients using PKCS#11, JCE, CNG
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. KMS KMS BYOK (ImportKey) KMS CustomKeyStore (CloudHSM) Where keys are generated HSMs controlled by AWS HSMs controlled by you HSMs controlled by you Where keys are stored HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you Where keys are used HSMs controlled by AWS HSMs controlled by AWS HSMs controlled by you How to control key use JSON key policies you define JSON key policies you define JSON key policies you define Responsibility for performance/scale AWS AWS You Integration with AWS services? Yes Yes Yes Pricing model $1/key + usage $1/key + usage $1/key + usage; Hourly charge for each HSM Comparison of AWS KMS master key providers
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 45. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Avni Rambhia arambhia@amazon.com Stephen Quigg squigg@amazon.com