내용으로 건너뛰기
AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post
re:Post 소개

AWS KMS Custom Key Store cannot connect to CloudHSM

0

I'm trying to connect an AWS KMS Custom Key Store to an active AWS CloudHSM cluster, but I consistently receive the following error during ConnectCustomKeyStore:

CloudHsmClusterInvalidConfigurationException The security group for this CloudHSM cluster does not allow KMS to connect.

✅ My setup: CloudHSM cluster has 2 active HSMs in different AZs (eu-north-1a, eu-north-1b).

A VPC Endpoint for KMS was created and assigned to the same VPC and subnets as CloudHSM.

A dedicated security group (SG) was created for the KMS VPC endpoint.

This SG allows inbound HTTPS (443) only from the SG used by the CloudHSM cluster.

The CloudHSM SG allows TCP 2223–2225 from the SG used by the KMS VPC endpoint.

Network ACLs allow all TCP traffic in both directions.

kmsuser is not logged in, and the password is valid.

customerCA.crt used during Custom Key Store creation is valid and matches the cluster.

📉 Troubleshooting attempts: I've deleted and recreated the Custom Key Store and KMS endpoint multiple times.

I’ve tried temporarily allowing all inbound traffic (0.0.0.0/0) — same result.

I’ve verified in CloudTrail that the request reaches KMS and fails at SG validation.

No ENI was created by KMS in the subnets.

❗ I also manually created an ENI, attached the correct security group, and placed it in the correct subnet — but that did not help.

❓ Any ideas? What could prevent KMS from establishing the ENI connection to CloudHSM, even if all network components are configured correctly?

주제
보안, 신원 및 규정 준수
태그
AWS 키 관리 서비스AWS CloudHSM
언어
English
질문됨 일 년 전152회 조회
1개 답변
0

Key things to address:

  1. VPC Endpoint Not Used The KMS VPC endpoint you created isn't used for Custom Key Store connections. KMS uses its own managed ENI, so the endpoint is irrelevant here.

  2. Security Group Blocking KMS ENI KMS creates a hidden ENI during connection. Your CloudHSM’s security group must allow inbound TCP ports 2223–2225 from any source, since KMS’s managed ENI uses a security group you can't control. Temporarily set this rule on the CloudHSM SG:

    TCP 2223–2225 from 0.0.0.0/0

    If this works, you can later restrict the range.

  3. Subnet and AZ Mismatch Ensure the subnets you selected when creating the custom key store:

    • Are in the same VPC as CloudHSM
    • Match the same availability zones (e.g., eu-north-1a, eu-north-1b)
    • Have free IPs and aren’t blocking ENI creation

  4. Manual ENIs Won’t Help Manually creating ENIs doesn’t work—KMS won’t use them. It must create and manage its own.

If no ENI appears when you run ConnectCustomKeyStore, it likely means subnet or SG configuration is stopping the process before any connection attempt is made.

답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

관련 콘텐츠