AWS CloudHSM allows customers to securely generate, store, and manage cryptographic keys in a Hardware Security Module (HSM) in the AWS cloud. It protects keys with FIPS 140-2 Level 3 validated HSMs and allows customers to have full control over key access management without AWS having access. AWS CloudHSM can be used for use cases like certificate authorities, database encryption, and SSL/TLS offloading. The new second-generation CloudHSM service is fully managed and offers high availability, scalability, and ease of use.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Avni Rambhia, AWS Cryptography
October 2017
AWS CloudHSM
Secure and keep control of your own
encryption keys in the AWS Cloud

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Key Management Service
Using Keys Securely in AWS
AWS CloudHSM

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What CloudHSM Provides
Protect your
encryption keys with
secure and compliant
hardware security
modules.
Keep total control of
access management
to your encryption
keys.
• AWS has no access to your
HSM or to the keys inside.
• All communication with your
HSM is encrypted end-to-end.
• Single tenant access to FIPS
140-2 Level 3 validated
hardware.
• Supports security-sensitive
workloads subject to compliance
regulations.

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Second-Generation CloudHSM
• Fully managed HSMs in the AWS cloud
Launched August 2017
Focus of today’s webinar
• CloudHSM Classic: First Generation Service
SafeNet HSMs in AWS cloud
Available to existing CloudHSM Classic customers only
FAQ at https://aws.amazon.com/cloudhsm/faqs-classic/

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Customers Use AWS CloudHSM
• Offload TLS/SSL processing
• Certificate authority (CA)
• Transparent Data Encryption (TDE) for Oracle databases
• Document and code signing
• Digital Rights Management

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Online Certificate Authority
• Integrate using PKCS#11, JCE and CNG (for
Microsoft ActiveDirectory)
• Create & store private keys safely and under
your control on HSM

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Database Encryption with CloudHSM
Cluster
Cryptographic
Officer
Database Users

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SSL/TLS Offload
• Integrate via OpenSSL
• Create/store private keys on HSM
• Cryptographic acceleration
• Expand/shrink cluster on demand

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Capabilities and Performance
Each HSM offers:
• ~1000 RSA sign/verify operations per second
• AES at network speed
• ~3,500 key storage capacity
Scale up to 32 HSMs per cluster
• ~32,000 RSA sign/verify operations in one cluster in one VPC
Scale down to zero; restore from backup

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of Using
Hardware Security Modules

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Total Control of Access Management
• Secure HSM access to create users and policies.
• Granular access management policies for up to 1,024
users on your HSMs.
• User-created keys not visible to other users.
• Keys can be shared with up to 8 other users who can
use (but not manage) that specific key.
• AWS has no access to your encryption keys.

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Scalable and Easy to Manage
• Fully managed HSMs in the cloud.
• Smart, load balancing clusters with automatic failover
• Automated high-availability
• Scale up and down clusters with a single API call
• Pay as you go with no upfront costs.
• Flexibly scale up and down as workload fluctuates
• Automated, secure backups.
• Can only be restored to AWS CloudHSM hardware

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Monitoring and Logging
• CloudWatch Metrics
• Cluster Health
• HSM health
• Memory Utilization
• Session count
• Create Custom Alarms and Thresholds
• Enables “Autoscale”
• CloudTrail Logs
• API call history

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Zero-Config High Availability with
AWS CloudHSM

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Concept of a Cluster
• All HSMs are part of a cluster
• Group of equivalent HSMs
• Between 0-32 HSMs per Cluster
• Users, policies and keys are identical
• Clients automatically load-balance across the cluster
• Cross-AZ for high availability
• Within a single region
• Cross-region replication not supported today

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Four Steps to Activated HSM
Step 1: Create a Cluster
Sets up environment for HSM instance
Step 2: Create & Verify HSM
Ensure your HSM is authentic HSM in AWS cloud
Step 3: Initialize the Cluster
Sign the cluster certificate with your credentials, making it ‘yours’
Step 4: Activate the Cluster
Login to HSM, change default password, and proceed to use as CO

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Activated Cluster: One-click Expand/Contract

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudHSM Clustering
CloudHSM Instance
CloudHSM Instance
Active/Active Sync
CloudHSM Cluster
Customer VPC
Zero Config

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clustering – Expanding the Cluster
CloudHSM Instance
CloudHSM Instance
Active/Active Sync
CloudHSM Cluster
Customer VPC
Backup

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clustering
CloudHSM Cluster
Customer VPC

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clustering
CloudHSM Cluster
Customer VPC
Restore

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clustering
CloudHSM Cluster
Customer VPC
Push New Config

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Clustering
CloudHSM Cluster
Customer VPC

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
High Availability Best Practices

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Wrap-Up

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits to the Customer
What’s New CloudHSM Features
Pay as you go Pricing based on use; no upfront costs
More scalable
Start and stop HSMs on demand
Spin cluster down to zero HSMs, restore from backup when needed
Improved security
FIPS 140-2 Level 3 validated
MofN & 2FA supported
Fully managed Provisioning, patching, back-up, and HA included
Built on open standards
Export, as permitted, keys to most commercially available HSMs
PKCS#11 and JCE SDKs; CNG coming shortly
Easier to use Point and click console
Automated HA
New HSMs automatically cloned;
clients automatically reconfigured

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pricing and Availability
Region Region
US East (N. Virginia) Asia Pacific (Mumbai)
US East (Ohio) Asia Pacific (Singapore)
US West (Oregon) Asia Pacific (Sydney)
US West (N. California) Asia Pacific (Tokyo)
Canada (Central) EU (Ireland)
EU (Frankfurt)
• No upfront costs to use AWS CloudHSM.
• Per-HSM hourly fee varies by region; lower than CloudHSM Classic.

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!