This article highlights the process of duplicating an AWS CloudHSM cluster to enhance data redundancy and streamline disaster recovery. AWS CloudHSM allows for the generation, storage, import, export, and management of cryptographic keys, as well as the computation of hash functions and signing of data. Cloning your CloudHSM cluster to a different AWS region facilitates synchronization of keys, including non-exportable keys that remain securely within the device.
To clone a cluster, you will follow a two-step method: first, transfer a backup to the target region, and second, establish a new cluster from that backup. In this article, I will guide you through setting up a cluster in region one and utilizing the new CopyBackupToRegion feature to duplicate the cluster and hardware security modules (HSMs) into a virtual private cloud (VPC) in region two.
Note: Instructions for establishing a cross-region VPC to synchronize HSMs across the cloned clusters are not included here. For that information, refer to this related blog post.
Overview of the Process
To accomplish this task, you can use either the AWS Command Line Interface (CLI) or the AWS CloudHSM API. This post will utilize the AWS CLI to transfer the cluster backup from region one to region two, followed by launching a new cluster from the copied backup.
The process is illustrated in the diagram below:
- AWS CloudHSM creates a backup of the cluster and stores it in an Amazon S3 bucket managed by AWS CloudHSM.
- You execute the CLI/API command to copy the backup to another AWS region.
- Upon completion of the backup, you utilize it to create a new cluster and HSMs.
Important: Backups cannot be copied into or out of AWS GovCloud (US) as it is a restricted region.
When transferring the backup to a new AWS region, it is stored within an Amazon S3 bucket owned by an AWS CloudHSM account. AWS CloudHSM oversees the security and storage of cluster backups, ensuring that your backup in both regions retains the durability of Amazon S3, estimated at 99.999999999%. Additionally, the backup in region two will be encrypted similarly to the backup in region one. For more details on the encryption process of your AWS CloudHSM backups, consult this authoritative source.
Any HSMs created in the cloned cluster will initially include the same users and keys as the original cluster at the time the backup was taken. From this point onward, you must manually maintain synchronization between the cloned clusters. For instance:
- If you add users after the new cluster creation, you need to manually create them on both clusters.
- If you change a user’s password in one cluster, ensure to update the password on the cloned clusters accordingly.
- Any new keys created in one cluster must be synchronized with at least one HSM in the cloned cluster. Note that after syncing a key from cluster one to cluster two, AWS CloudHSM will manage the synchronization of keys within the second cluster.
Prerequisites
Before proceeding, ensure that the following requirements are met:
- A VPC in region one with at least one public and one private subnet.
- A VPC in region two with at least one public and one private subnet.
- Cross-region VPC connectivity enabled between region one and region two.
- AWS Command Line Interface (CLI) installed.
- IAM permissions for AWS CloudHSM APIs in both regions.
Important note: Key synchronization across clusters in multiple regions is only feasible if all clusters are created from the same backup. This is due to the necessity of a consistent masking key present on both source and destination HSMs. The masking key is unique to each cluster, cannot be exported, and is solely used for synchronizing keys across HSMs within a cluster.
Step 1: Create Your Initial Cluster in Region One
Follow the links in each sub-step below for further details and setup requirements:
- Create the cluster. Execute the command below via CLI, replacing the placeholder
<SUBNET ID 1>with one of your private subnets:$ aws cloudhsmv2 create-cluster --hsm-type hsm1.medium --subnet-ids <SUBNET ID 1> - Launch your Amazon Elastic Compute Cloud (EC2) client in the public subnet. Instructions can be found here to initiate an EC2 Instance.
- Create the first HSM (in the private subnet). Run the command below via CLI, replacing
<CLUSTER ID>with the ID from the previous step and<AVAILABILITY ZONE>with your private subnet’s AZ (e.g., us-east-1a):$ aws cloudhsmv2 create-hsm --cluster-id <CLUSTER ID> --availability-zone <AVAILABILITY ZONE> - Initialize the cluster by creating a self-signed certificate and signing the cluster’s Certificate Signing Request (CSR). You can view an example of how to create and use a self-signed certificate. After obtaining your certificate, initialize the cluster with the command:
$ aws cloudhsmv2 initialize-cluster --cluster-id <CLUSTER ID> --signed-cert file://<CLUSTER ID>_CustomerHsmCertificate.crt --trust-anchor file://customerCA.crtNote: Remember to copy the certificate used to sign your cluster’s CSR into the /opt/cloudhsm/etc directory to maintain a secure connection.
- Install the cloudhsm-client software. After launching your EC2 client, download and install the software using this command:
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/EL6/cloudhsm-client-latest.el6.x86_64.rpmThen install it with:
sudo yum install -y ./cloudhsm-client-latest.el6.x86_64.rpm - Finally, configure the cloudhsm-client to point to the ENI IP of your first HSM. Execute the following on your EC2 client, replacing the
<IP ADDRESS>placeholder with your HSM’s ENI IP:$ sudo /opt/cloudhsm/bin/configure -a <IP ADDRESS>This command updates your configuration files to ensure your client can connect to the cluster.
- Activate the cluster by running the cloudhsm-client with this command, logging you into the cluster:
$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_
For more information on fulfillment center opportunities, feel free to check out this excellent resource.