Connecting and disconnecting an Amazon CloudHSM key store - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connecting and disconnecting an Amazon CloudHSM key store

New Amazon CloudHSM key stores are not connected. Before you can create and use Amazon KMS keys in your Amazon CloudHSM key store, you need to connect it to its associated Amazon CloudHSM cluster. You can connect and disconnect your Amazon CloudHSM key store at any time, and view its connection state.

You are not required to connect your Amazon CloudHSM key store. You can leave an Amazon CloudHSM key store in a disconnected state indefinitely and connect it only when you need to use it. However, you might want to test the connection periodically to verify that the settings are correct and it can be connected.

Note

Amazon CloudHSM key stores have a DISCONNECTED connection state only when the key store has never been connected or you explicitly disconnect it. If your Amazon CloudHSM key store connection state is CONNECTED but you are having trouble using it, make sure that its associated Amazon CloudHSM cluster is active and contains at least one active HSMs. For help with connection failures, see Troubleshooting a custom key store.

Connecting an Amazon CloudHSM key store

When you connect an Amazon CloudHSM key store, Amazon KMS finds the associated Amazon CloudHSM cluster, connects to it, logs into the Amazon CloudHSM client as the kmsuser crypto user (CU), and then rotates the kmsuser password. Amazon KMS remains logged into the Amazon CloudHSM client as long as the Amazon CloudHSM key store is connected.

To establish the connection, Amazon KMS creates a security group named kms-<custom key store ID> in the virtual private cloud (VPC) of the cluster. The security group has a single rule that allows inbound traffic from the cluster security group. Amazon KMS also creates an elastic network interface (ENI) in each Availability Zone of the private subnet for the cluster. Amazon KMS adds the ENIs to the kms-<cluster ID> security group and the security group for the cluster. The description of each ENI is KMS managed ENI for cluster <cluster-ID>.

The connection process can take an extended amount of time to complete; up to 20 minutes.

Before you connect the Amazon CloudHSM key store, verify that it meets the requirements.

  • Its associated Amazon CloudHSM cluster must contain at least one active HSM. To find the number of HSMs in the cluster, view the cluster in the Amazon CloudHSM console or use the DescribeClusters operation. If necessary, you can add an HSM.

  • The cluster must have a kmsuser crypto user (CU) account, but that CU cannot be logged into the cluster when you connect the Amazon CloudHSM key store. For help with logging out, see How to log out and reconnect.

  • The connection state of the Amazon CloudHSM key store cannot be DISCONNECTING or FAILED. To view the connection state, use the Amazon KMS console or the DescribeCustomKeyStores response. If the connection state is FAILED, disconnect the custom key store, fix the problem, and then connect it.

For help with connection failures, see How to fix a connection failure.

When your Amazon CloudHSM key store is connected, you can create KMS keys in it and use existing KMS keys in cryptographic operations.

Disconnecting an Amazon CloudHSM key store

When you disconnect an Amazon CloudHSM key store, Amazon KMS logs out of the Amazon CloudHSM client, disconnects from the associated Amazon CloudHSM cluster, and removes the network infrastructure that it created to support the connection.

While an Amazon CloudHSM key store is disconnected, you can manage the Amazon CloudHSM key store and its KMS keys, but you cannot create or use KMS keys in the Amazon CloudHSM key store. The connection state of the key store is DISCONNECTED and the key state of KMS keys in the custom key store is Unavailable, unless they are PendingDeletion. You can reconnect the Amazon CloudHSM key store at any time.

When you disconnect a custom key store, the KMS keys in the key store become unusable right away (subject to eventual consistency). However, resources encrypted with data keys protected by the KMS key are not affected until the KMS key is used again, such as to decrypt the data key. This issue affects Amazon Web Services, many of which use data keys to protect your resources. For details, see How unusable KMS keys affect data keys.

Note

While a custom key store is disconnected, all attempts to create KMS keys in the custom key store or to use existing KMS keys in cryptographic operations will fail. This action can prevent users from storing and accessing sensitive data.

To better estimate the effect of disconnecting your custom key store, identify the KMS keys in the custom key store and determine their past use.

You might disconnect an Amazon CloudHSM key store for reasons such as the following:

  • To rotate of the kmsuser password. Amazon KMS changes the kmsuser password each time that it connects to the Amazon CloudHSM cluster. To force a password rotation, just disconnect and reconnect.

  • To audit the key material for the KMS keys in the Amazon CloudHSM cluster. When you disconnect the custom key store, Amazon KMS logs out of the kmsuser crypto user account in the Amazon CloudHSM client. This allows you to log into the cluster as the kmsuser CU and audit and manage the key material for the KMS key.

  • To immediately disable all KMS keys in the Amazon CloudHSM key store. You can disable and re-enable KMS keys in an Amazon CloudHSM key store by using the Amazon Web Services Management Console or the DisableKey operation. These operations complete quickly, but they act on one KMS key at a time. Disconnecting the Amazon CloudHSM key store immediately changes the key state of all KMS keys in the Amazon CloudHSM key store to Unavailable, which prevents them from being used in any cryptographic operation.

  • To repair a failed connection attempt. If an attempt to connect an Amazon CloudHSM key store fails (the connection state of the custom key store is FAILED), you must disconnect the Amazon CloudHSM key store before you try to connect it again.

Connect an Amazon CloudHSM key store (console)

To connect an Amazon CloudHSM key store in the Amazon Web Services Management Console, begin by selecting the Amazon CloudHSM key store from the Custom key stores page. The connection process can take up to 20 minutes to complete.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Custom key stores, Amazon CloudHSM key stores.

  4. Choose the row of the Amazon CloudHSM key store you want to connect.

    If the connection state of the Amazon CloudHSM key store is FAILED, you must disconnect the custom key store before you connect it.

  5. From the Key store actions menu, choose Connect.

Amazon KMS begins the process of connecting your custom key store. It finds the associated Amazon CloudHSM cluster, builds the required network infrastructure, connects to it, logs into the Amazon CloudHSM cluster as the kmsuser CU, and rotates the kmsuser password. When the operation completes, the connection state changes to CONNECTED.

If the operation fails, an error message appears that describes the reason for the failure. Before you try to connect again, view the connection state of your Amazon CloudHSM key store. If it is FAILED, you must disconnect the custom key store before you connect it again. If you need help, see Troubleshooting a custom key store.

Next: Creating KMS keys in an Amazon CloudHSM key store.

Connect a custom key store (API)

To connect a disconnected Amazon CloudHSM key store, use the ConnectCustomKeyStore operation. The associated Amazon CloudHSM cluster must contain at least one active HSM and the connection state cannot be FAILED.

The connection process takes an extended amount of time to complete; up to 20 minutes. Unless it fails quickly, the operation returns an HTTP 200 response and a JSON object with no properties. However, this initial response does not indicate that the connection was successful. To determine the connection state of the custom key store, see the DescribeCustomKeyStores response.

The examples in this section use the Amazon Command Line Interface (Amazon CLI), but you can use any supported programming language.

To identify the Amazon CloudHSM key store, use its custom key store ID. You can find the ID on the Custom key stores page in the console or by using the DescribeCustomKeyStores operation with no parameters. Before running this example, replace the example ID with a valid one.

$ aws kms connect-custom-key-store --custom-key-store-id cks-1234567890abcdef0

To verify that the Amazon CloudHSM key store is connected, use the DescribeCustomKeyStores operation. By default, this operation returns all custom keys stores in your account and Region. But you can use either the CustomKeyStoreId or CustomKeyStoreName parameter (but not both) to limit the response to particular custom key stores. The ConnectionState value of CONNECTED indicates that the custom key store is connected to its Amazon CloudHSM cluster.

Note

The CustomKeyStoreType field was added to the DescribeCustomKeyStores response to distinguish Amazon CloudHSM key stores from external key stores.

$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 { "CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleCloudHSMKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "CustomKeyStoreType": "AWS_CLOUDHSM", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "CONNECTED" ], }

If the ConnectionState value is failed, the ConnectionErrorCode element indicates the reason for the failure. In this case, Amazon KMS could not find an Amazon CloudHSM cluster in your account with the cluster ID cluster-1a23b4cdefg. If you deleted the cluster, you can restore it from a backup of the original cluster and then edit the cluster ID for the custom key store. For help responding to a connection error code, see How to fix a connection failure.

$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 { "CustomKeyStores": [ "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CloudHsmClusterId": "cluster-1a23b4cdefg", "CustomKeyStoreType": "AWS_CLOUDHSM", "TrustAnchorCertificate": "<certificate string appears here>", "CreationDate": "1.499288695918E9", "ConnectionState": "FAILED" "ConnectionErrorCode": "CLUSTER_NOT_FOUND" ], }

Next: Creating KMS keys in an Amazon CloudHSM key store.

Disconnect an Amazon CloudHSM key store (console)

To disconnect a connected Amazon CloudHSM key store in the Amazon Web Services Management Console, begin by choosing the Amazon CloudHSM key store from the Custom Key Stores page.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Key Management Service (Amazon KMS) console at https://console.amazonaws.cn/kms.

  2. To change the Amazon Web Services Region, use the Region selector in the upper-right corner of the page.

  3. In the navigation pane, choose Custom key stores, Amazon CloudHSM key stores.

  4. Choose the row of the external key store you want to disconnect.

  5. From the Key store actions menu, choose Disconnect.

When the operation completes, the connection state changes from DISCONNECTING to DISCONNECTED. If the operation fails, an error message appears that describes the problem and provides help on how to fix it. If you need more help, see Troubleshooting a custom key store.

Disconnect an Amazon CloudHSM key store (API)

To disconnect a connected Amazon CloudHSM key store, use the DisconnectCustomKeyStore operation. If the operation is successful, Amazon KMS returns an HTTP 200 response and a JSON object with no properties.

The examples in this section use the Amazon Command Line Interface (Amazon CLI), but you can use any supported programming language.

This example disconnects an Amazon CloudHSM key store. Before running this example, replace the example ID with a valid one.

$ aws kms disconnect-custom-key-store --custom-key-store-id cks-1234567890abcdef0

To verify that the Amazon CloudHSM key store is disconnected, use the DescribeCustomKeyStores operation. By default, this operation returns all custom keys stores in your account and Region. But you can use either the CustomKeyStoreId and CustomKeyStoreName parameter (but not both) to limit the response to particular custom key stores. The ConnectionState value of DISCONNECTED indicates that this example Amazon CloudHSM key store is not connected to its Amazon CloudHSM cluster.

$ aws kms describe-custom-key-stores --custom-key-store-id cks-1234567890abcdef0 { "CustomKeyStores": [ "CloudHsmClusterId": "cluster-1a23b4cdefg", "ConnectionState": "DISCONNECTED", "CreationDate": "1.499288695918E9", "CustomKeyStoreId": "cks-1234567890abcdef0", "CustomKeyStoreName": "ExampleKeyStore", "CustomKeyStoreType": "AWS_CLOUDHSM", "TrustAnchorCertificate": "<certificate string appears here>" ], }