How should a solutions architect ensure that the web application can continue to call the third party API after the migration?

Q: What is AWS CloudHSM?

The AWS CloudHSM service helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) instances within the AWS cloud. AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for some applications and data subject to contractual or regulatory mandates for managing cryptographic keys, additional protection may be necessary. CloudHSM complements existing data protection solutions and allows you to protect your encryption keys within HSMs that are designed and validated to government standards for secure key management. CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible only by you.

Q: What is a Hardware Security Module (HSM)?

A Hardware Security Module (HSM) provides secure key storage and cryptographic operations within a tamper-resistant hardware device. HSMs are designed to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the hardware.

Q: What can I do with CloudHSM?

You can use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing.

Q: How does CloudHSM work?

When you use the AWS CloudHSM service you create a CloudHSM Cluster. Clusters can contain multiple HSMs, spread across multiple Availability Zones in a region. HSMs in a cluster are automatically synchronized and load-balanced. You receive dedicated, single-tenant access to each HSM in your cluster. Each HSM appears as a network resource in your Amazon Virtual Private Cloud (VPC). Adding and removing HSMs from your Cluster is a single call to the AWS CloudHSM API (or on the command line using the AWS CLI). After creating and initializing a CloudHSM Cluster, you can configure a client on your EC2 instance that allows your applications to use the cluster over a secure, authenticated network connection.

The service automatically monitors the health of your HSMs, but no AWS personnel have access to your keys or data. Your applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM. The client software maintains a secure channel to all of the HSMs in your cluster and sends requests on this channel, and the HSM performs the operations and returns the results over the secure channel. The client then returns the result to the application through the cryptographic API.

Q: I don’t currently have a VPC. Can I still use AWS CloudHSM?

No. To protect and isolate your AWS CloudHSM from other Amazon customers, CloudHSM must be provisioned inside an Amazon VPC. Creating a VPC is easy. Please see the VPC Getting Started Guide for more information.

Q: Does my application need to reside in the same VPC as the CloudHSM Cluster?

No, but the server or instance on which your application and the HSM client are running must have network (IP) reachability to all HSMs in the cluster. You can establish network connectivity from your application to the HSM in many ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect. Please see the VPC Peering Guide and VPC User Guide for more details.

Q: Does CloudHSM work with on-premises HSMs?

Yes. While CloudHSM does not interoperate directly with on-premises HSMs, you can securely transfer exportable keys between CloudHSM and most commercial HSMs using one of several supported RSA key wrap methods.   

Q: How can my application use CloudHSM?

We have integrated and tested CloudHSM with a number of third-party software solutions such as Oracle Database 11g and 12c and Web servers including Apache and Nginx for SSL offload. Please see the CloudHSM User Guide for more information.

If you are developing your own custom application, your application can use the standard APIs supported by CloudHSM, including PKCS#11 and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions), or Microsoft CAPI/CNG. Please refer to the CloudHSM User Guide for code samples and help with getting started.

If you are moving an existing workload from CloudHSM Classic or on-premises HSMs to CloudHSM, our CloudHSM migration guide provides information on how to plan and execute your migration.

Q: Can I use CloudHSM to store keys or encrypt data used by other AWS services?

Yes. You can do all encryption in your CloudHSM-integrated application. In this case, AWS services such as Amazon S3 or Amazon Elastic Block Store (EBS) would only see your data encrypted.

Q: Can other AWS services use CloudHSM to store and manage keys?

AWS services integrate with AWS Key Management Service, which in turn is integrated with AWS CloudHSM through the KMS custom key store feature. If you want to use the server-side encryption offered by many AWS services (such as EBS, S3, or Amazon RDS), you can do so by configuring a custom key store in AWS KMS.

Q: Can CloudHSM be used to perform personal identification number (PIN) block translation or other cryptographic operations used with debit payment transactions?

Currently, CloudHSM provides general-purpose HSMs. Over time we may provide payment functions. If this is of interest to you, please let us know.

Q: How do I get started with CloudHSM?

You can provision a CloudHSM Cluster in the CloudHSM Console, or with a few API calls through the AWS SDK or API. To learn more, please see the CloudHSM User Guide for information about getting started, the CloudHSM Documentation for information about the CloudHSM API, or the Tools for Amazon Web Services page for more information about the SDK.

Q: How do I terminate CloudHSM service?

You can use the CloudHSM console, API, or SDK to delete your HSMs and stop using the service. Please refer to the CloudHSM User Guide for further instructions.

Which solution will improve the performance of the application when it is moved to AWS?

What is a reliable and durable solution for a solutions architect to implement that will reduce the cost of local storage?

Which set of actions will improve website performance for users worldwide?

How many questions are on the AWS solutions architect Associate exam?