What is AWS CloudHSM? Manage Your Encryption Keys Easily

Security in Cloud

Cloud computing is a shared infrastructure through virtualization technology in a large number of available network resources to form a virtual resource pool, automatic software implementation by management. The underlying hardware resources are not hooked to an entity and are being shared across multiple customers. This allows the resources to be used to their capacity, ensuring lesser occurrence of underutilization or overutilization of the resources, allowing cloud providers to provide the services at lower costs.

The very phenomenon of the hardware being shared amongst many customers is a matter of concern for few customers on the other hand, who want to capitalize on the convenience of cloud, but do not want to compromise on the security, compromised by the sharing of underlying resources.

This article discusses two of the major services for data security at rest in Amazon Web Services (AWS), AWS Key management service (AWS KMS) and AWS Cloud Hardware Security Module (HSM). This article will first discuss AWS CloudHSM and then compare and contrast it to another key management service in AWS, AWS KMS.

Overview – AWS CloudHSM

Hardware security module

Encryption, the process of rendering sensitive data indecipherable except to those with authorized access, forms the basis for an HSM’s core functionality. Secure decryption is also a part of HSM functionality.

Randomly generated values are used to create encryption keys, which in turn is used for encryption. Decrypting that sensitive information is always just one step away with the keys in hand, so storage of encryption keys in a secure environment is essential.

Hardware security modules generate and store encryption keys. They have special hardware to create entropy and generate high quality random keys.

AWS Cloud Hardware security module (AWS CloudHSM)

AWS defines AWS CloudHSM as “a dedicated, hardware-based cryptographic key storage which allows the users to help satisfy the compliance requirements”. The three keywords in this definition are hardware-based, cryptographic key storage and compliance and we will be having discussions around these keywords for the rest of the article.

CloudHSM is a physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. It is compliant with FIPS 140-2 level 3. The FIPS is a US Government computer security standard which is used to validate cryptographic modules.

AWS CloudHSM allows to perform cryptographic operations such as:

• Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
• Use symmetric and asymmetric algorithms to encrypt and decrypt data automatically.
• Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
• Cryptographically sign data (including code signing) and verify signatures.
• Generate cryptographically secure random data.Manage single-tenant hardware security modules (HSMs) on AWSSingle tenancy is an architecture in which a single instance of a software application and supporting infrastructure serves one customer. CloudHSM designates a single-tenant multi-AZ cluster, which is exclusive to the customer.

Getting started with AWS CloudHSM

The user needs to provision a cluster to be able to use AWS CloudHSM. The steps include creating an IAM user with appropriate permissions, provisioning and initializing of AWS CloudHSM cluster and setting up appropriate certificates in an EC2 client. A step to step guide could be found here for getting started with AWS CloudHSM.

To be able to use the cluster, the following requirements must be fulfilled:

• The cluster must be active.
• The cluster must be in the same account and Region as the AWS CloudHSM key store. An AWS CloudHSM key store in one Region cannot be associated with a cluster in a different Region. To create a key infrastructure in multiple Regions, AWS CloudHSM key stores and clusters must be created in each Region.
• The cluster cannot be associated with another custom key store in the same account and Region. Each AWS CloudHSM key store in the account and Region must be associated with a different AWS CloudHSM cluster.
• The security group for the cluster must include inbound rules and outbound rules that allow TCP traffic on ports 2223-2225.
• The cluster must contain at least two active HSMs in different Availability Zones.

Once these requirements have been attained, a CMK could be created from CloudHSM. The steps to create a CMK using CloudHSM could be found here: Creating KMS keys in an AWS CloudHSM key store

Once a CMK is created, it could be used to encrypt AWS EC2 instances, S3, EBS volumes, and other AWS similar to the way an AWS KMS CMK is used.

Accessing key managed by AWS CloudHSM

AWS CloudHSM and VPC endpoints

A private connection between an amazon Virtual Private Cloud (VPC) and AWS CloudHSM can be created by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables private access of AWS CloudHSM APIs without an internet gateway, NAT device, VPC connection or AWS Direct Connection. The traffic between the VPC and AWS CloudHSM never leaves the Amazon network.

A step wise documentation could be found here about how to Creating an interface VPC endpoint for AWS CloudHSM.

AWS Key Management Services (KMS)

AWS Key Management Service – KMS is a managed encryption service that allows the creation and control of encryption keys to enable data encryption. It provides a highly available key storage, management, and auditing solution to encrypt the data across AWS services & within applications. It seamlessly integrates with several AWS services to make encrypting data in those services easy. AWS KMS supports the following cryptographic operations

• Encrypt, decrypt, and re-encrypt data with symmetric or asymmetric keys.
• Sign and verify messages with asymmetric keys.
• Generate exportable symmetric data keys and asymmetric data key pairs.
• Generate and verify HMAC codes. 
• Generate random numbers suitable for cryptographic applications
• Supports Virtual Private Cloud (VPC) private endpoint to connect KMS privately from a VPC. Interface VPC endpoint ensures the communication between the VPC and AWS KMS is conducted entirely within the AWS network.

CloudHSM vs AWS KMS

The main difference between KMS and CloudHSM is the way keys are managed. CloudHSM lets the client manage the keys whereas AWS controls the cryptographic keys in case of AWS KMS. The clients can securely generate, store, and manage the cryptographic keys within HSMs designed and validated to government standards used for data encryption such that they are accessible only by the client themselves. AWS CloudHSM helps comply with strict key management requirements without sacrificing application performance.

Use cases

As mentioned earlier in the definition of CloudHSM, CloudHSM is used if the clients desire to manage the cryptographic keys themselves. One of the reasons to desire this is the regulatory compliance requirements for an application or an organization itself. In AWS CloudHSM, the user creates and manages HSMs, including creating users and setting their permissions.

AWS Key Management Service is defined as “Easily create and control the encryption keys used to encrypt your data”. AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the encryption keys used to encrypt the data at rest. It generates keys which could be used with other AWS services, but AWS takes care of the management of keys and the underlying hardware resources.