Amazon CloudHSM security dubt
Hello, Basically, as I understand it, physical HSMs are managed by a team of people who have physical key to reset the HSM itself. That is, these people, let's say there are 3 of them, have 3 keys and each of them is needed to start or reset the HSM. In the cloud, however, for example with Amazon's CloudHSM, how does this happen? Why can't Amazon take the content in our CloudHSM? This team of people doesn't exist, so they still have full control of our encryption keys. Who has the CloudHSM primary key? Am I right? What am I missing?
Thank you very much
Main keys for HSM are established when a cluster is allocated and the customer establishes a Crypto Officer. The CloudHSM service infrastructure and no one at AWS have any access to the main key (or any keys protected by that key) because the CO credentials are known only to the customer.
Cluster management and backup are managed with an additional key which allows back up and recovery of HSM main keys and configurations without exposing keys to AWS. This is detailed in: https://docs.aws.amazon.com/cloudhsm/latest/userguide/backups.html
The CO credentials are only known to the customer, but AWS may save them somewhere before they are forwarded to the HSM. No? Is this possible?
When you provision a CloudHSM cluster, there are several user types:
Precrypto Officer (PRECO) - Default administrator when you provision CloudHSM. Disappears once you create your first user.
(Primary) Crypto Officer (PCO and CO) - First user is the PCO who can then provision other COs. PCO and COs have the same permissions. They perform user management and that's all.
Crypto User (CU) - can do:
- Key management - create, delete, share, import & export cryptographic keys
- Cryptographic operations - use keys for encryption, decryption, signing, verifying etc.
Appliance User (AU) - can perform cloning and synchronisation operations. Cloud HSM uses the AU to synchronise the HSMs in a cluster. The AU exists on all HSMs and has limited permissions.
Setup of your cluster involves a number of steps including verifying authenticity, signing the cluster CSR (Certificate Signing Request), setting up a cluster management instance and running the HSM command-line management utility on it.
Amazon Inspector2 - Is it possible to create a suppression rule for issues that don't have a remediation available yet?asked 3 months ago
Oracle on RDS: TDE encryption with master key storage in KMS or CloudHSMAccepted Answerasked 2 years ago
Is it possible to change Contact Lens rules settings from 'If all of these conditions are met'?asked 3 months ago
How to have multiple VPCs in different AWS accounts use the same physical AWS Direct Connect circuit.Accepted Answerasked 4 years ago
Rename RDS MSSQL physical files after restoreasked 5 months ago
Amazon CloudHSM security dubtasked a month ago
Why is there a strict rule of number of brokers as multiple of AZ?asked 8 months ago
Is there a limit to the number of logical replication subscribers a publisher can have?Accepted Answerasked 5 months ago
sqs event triggers lambda directly, is there a way to delay that execution by 10-20 seconds?Accepted Answerasked 2 years ago
Usage of private key after cluster initializationasked 3 years ago