Well, you probably don't.
Part 1 of what I learned at re:Invent 2019
The first session that I attended at AWS re:Invent 2019 was SEC305 — Achieving security goals with AWS CloudHSM (Note: Video not yet published; I linked the video from the same speaker at re:Inforce 2019). I was expecting the speaker, Avni Rambhia — Senior Product Manager with AWS, to jump into the nitty gritty of how to utilize CloudHSM. Instead, her goal was to spend the first half hour convincing me that I don’t need CloudHSM — and that’s exactly what she did.
In case you are unfamiliar, here is a brief explanation of what CloudHSM does:
AWS CloudHSM provides hardware security modules in the AWS Cloud. A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys.
Source: AWS CloudHSM Documentation
So, what do you need CloudHSM for? Well, ...
You don’t need CloudHSM to…
Store symmetric/asymmetric keys
AWS Key Management Service (KMS) supports retrieval, encryption, and decryption of both asymmetric and symmetric keys. It also supports signing and verification operations for symmetric keys.
AWS KMS stores your keys securely in an AWS-owned HSM. AWS validates KMS for FIPS compliance. KMS is fully integrated with CloudTrail, meaning that every action taken on a key is logged. Keys are protected from accidental deletion because KMS enforces a mandatory key deletion waiting period of at least 7 days.
Access to keys is controlled through IAM policies, which provide fine-grained, auditable controls. For instance, your organization can choose to allow Information Security and auditors to view information about the keys and their usage, but not to retrieve the key data. Another policy can be written such that only a single Lambda can use the key to decrypt data.
It should be noted that KMS keys are replicated across availability zones, but not regions. AWS recommends using separate KMS keys for each region, which will prevent data loss in the unlikely event of a region being destroyed.
Create and manage a Certificate Authority
AWS Certificate Manager (ACM) provides a secure repository to manage SSL/TLS certificates, and to run your own private certificate authority.
Similar to AWS KMS, ACM is backed by an AWS-owned HSM, is fully integrated with CloudTrail, has accidental deletion prevention, and access controls are based on IAM.
Store passwords and other secrets
AWS Secrets Manager provides a platform for storing, retrieving, and rotating secrets such as passwords and API keys. Secrets Manager has all the characteristics of KMS and ACM: CloudTrail, deletion prevention, IAM, etc.
The best way to handle secrets is to never directly touch them. AWS Secrets Manager can do just that by directly integrating into some AWS services — no code needed.
You need CloudHSM if…
- Compliance dictates that you must have more control over stored keys/secrets — such as forcing key lengths, ciphers, and rotation policies.
- You aren’t allowed to use IAM.
One final reason to use CloudHSM is that you may be doing so to meet certain regulatory verbiage. Avni cautioned doing so, stating that you should reconsider and renegotiate, because other services can provide the compliance you need.
CloudHSM has availability-zone level HA built in and synchronizes keys in the background automatically. Firmware upgrades for the HSM are also completed automatically.
CloudHSM provides a high level of control, but removes many of the benefits that most AWS services provide in order to maintain the highest level of security.
The customer is responsible for:
- Developing and integrating
- Compliance (Avni: “CloudHSM really does nothing [for compliance] — you have to prove it”)
- User and credential management
- Management of the cluster
- Key management and enforcement
- Scaling (no autoscaling! Your cluster CAN be overloaded, unlike other KMS/ACM/Secrets Manager)
- No CloudTrail support (AWS can see that you are accessing your cluster but cannot see metadata about the keys)
Another major disadvantage is that you can lock yourself out, and if you do so, you’re toast. AWS cannot recover a cluster if you don’t have a backup prior to locking yourself out.
An aside: AWS KMS + CloudHSM
AWS KMS can be used in conjunction with CloudHSM in the form of a custom key store. Your organization still manages CloudHSM completely, and you grant access for KMS to access your CloudHSM cluster.
AWS cryptography services at a glance
Avni put together a great slide summarizing the cryptography services that AWS offers, which I have included below.
After Avni spoke about each of these services, she invited anyone to leave the room who was convinced that they don’t need CloudHSM. I took that opportunity to leave and grab an early lunch! I hope you learned something today. Please leave a comment or connect with me on LinkedIn if you have any questions. Thanks for reading!