By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS KMS Custom Key Store cannot connect to CloudHSM

0

I'm trying to connect an AWS KMS Custom Key Store to an active AWS CloudHSM cluster, but I consistently receive the following error during ConnectCustomKeyStore:

CloudHsmClusterInvalidConfigurationException The security group for this CloudHSM cluster does not allow KMS to connect.

✅ My setup: CloudHSM cluster has 2 active HSMs in different AZs (eu-north-1a, eu-north-1b).

A VPC Endpoint for KMS was created and assigned to the same VPC and subnets as CloudHSM.

A dedicated security group (SG) was created for the KMS VPC endpoint.

This SG allows inbound HTTPS (443) only from the SG used by the CloudHSM cluster.

The CloudHSM SG allows TCP 2223–2225 from the SG used by the KMS VPC endpoint.

Network ACLs allow all TCP traffic in both directions.

kmsuser is not logged in, and the password is valid.

customerCA.crt used during Custom Key Store creation is valid and matches the cluster.

📉 Troubleshooting attempts: I've deleted and recreated the Custom Key Store and KMS endpoint multiple times.

I’ve tried temporarily allowing all inbound traffic (0.0.0.0/0) — same result.

I’ve verified in CloudTrail that the request reaches KMS and fails at SG validation.

No ENI was created by KMS in the subnets.

❗ I also manually created an ENI, attached the correct security group, and placed it in the correct subnet — but that did not help.

❓ Any ideas? What could prevent KMS from establishing the ENI connection to CloudHSM, even if all network components are configured correctly?

Topics
Security, Identity, & Compliance
Tags
AWS CloudHSMAWS Key Management Service
Language
English
Nazar
asked 13 days ago33 views
1 Answer
0

Key things to address:

  1. VPC Endpoint Not Used The KMS VPC endpoint you created isn't used for Custom Key Store connections. KMS uses its own managed ENI, so the endpoint is irrelevant here.

  2. Security Group Blocking KMS ENI KMS creates a hidden ENI during connection. Your CloudHSM’s security group must allow inbound TCP ports 2223–2225 from any source, since KMS’s managed ENI uses a security group you can't control. Temporarily set this rule on the CloudHSM SG:

    TCP 2223–2225 from 0.0.0.0/0

    If this works, you can later restrict the range.

  3. Subnet and AZ Mismatch Ensure the subnets you selected when creating the custom key store:

    • Are in the same VPC as CloudHSM
    • Match the same availability zones (e.g., eu-north-1a, eu-north-1b)
    • Have free IPs and aren’t blocking ENI creation

  4. Manual ENIs Won’t Help Manually creating ENIs doesn’t work—KMS won’t use them. It must create and manage its own.

If no ENI appears when you run ConnectCustomKeyStore, it likely means subnet or SG configuration is stopping the process before any connection attempt is made.

profile picture
Varunprakash Shanmugam
answered 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content