1
00:00:00,230 --> 00:00:02,310
‫So we have seen KMS for encryption,

2
00:00:02,310 --> 00:00:04,530
‫but now let's look at CloudHSM.

3
00:00:04,530 --> 00:00:08,197
‫So with KMS, AWS will manage the software for the encryption

4
00:00:08,197 --> 00:00:11,280
‫and will have control over the encryption keys.

5
00:00:11,280 --> 00:00:12,450
‫But with CloudHSM

6
00:00:12,450 --> 00:00:15,270
‫AWS will provision some encryption hardware.

7
00:00:15,270 --> 00:00:17,820
‫It's called an HSM device, so a dedicated hardware

8
00:00:17,820 --> 00:00:19,641
‫which is a hardware security module.

9
00:00:19,641 --> 00:00:22,800
‫And then, we are going to manage our own encryption

10
00:00:22,800 --> 00:00:25,170
‫keys entirely, not AWS.

11
00:00:25,170 --> 00:00:28,260
‫So we have full control over the encryption keys.

12
00:00:28,260 --> 00:00:30,150
‫The HSM device is going to be set

13
00:00:30,150 --> 00:00:34,170
‫up within the cloud of AWS, but it is temper resistant

14
00:00:34,170 --> 00:00:37,590
‫with FIPS 104-2 level three compliance,

15
00:00:37,590 --> 00:00:39,270
‫which means that if anyone tries

16
00:00:39,270 --> 00:00:41,048
‫to access your HSM device manually,

17
00:00:41,048 --> 00:00:43,613
‫then they're going to be stopped and blocked.

18
00:00:43,613 --> 00:00:45,690
‫The CloudHSM device supports

19
00:00:45,690 --> 00:00:48,264
‫both symmetric and asymmetric encryption keys.

20
00:00:48,264 --> 00:00:50,040
‫So, that means that you can have, for example,

21
00:00:50,040 --> 00:00:53,501
‫SSL and TLS keys on top of it. There is no frontier,

22
00:00:53,501 --> 00:00:56,400
‫and to use the CloudHSM device

23
00:00:56,400 --> 00:00:57,660
‫you need to use the client software

24
00:00:57,660 --> 00:01:00,811
‫which is quite complicated and out of scope right now.

25
00:01:00,811 --> 00:01:04,590
‫There is an integration between Redshift and CloudHSM

26
00:01:04,590 --> 00:01:06,210
‫if you wanted to leverage CloudHSM

27
00:01:06,210 --> 00:01:08,760
‫for your database encryption and key managements.

28
00:01:08,760 --> 00:01:11,010
‫CloudHSM is a really, really good candidate

29
00:01:11,010 --> 00:01:13,260
‫if you want to implement SSE-C type

30
00:01:13,260 --> 00:01:16,260
‫of encryption on top of S3, for example, because

31
00:01:16,260 --> 00:01:18,113
‫you are managing your own encryption keys

32
00:01:18,113 --> 00:01:21,480
‫and you are storing them into this CloudHSM.

33
00:01:21,480 --> 00:01:25,170
‫So, with the Edge CloudHSM, AWS will manage hardware

34
00:01:25,170 --> 00:01:27,510
‫whereas the service itself can be used on your own.

35
00:01:27,510 --> 00:01:29,310
‫The CloudHSM client is something you have to

36
00:01:29,310 --> 00:01:33,240
‫use to establish a connection into the CloudHSM service,

37
00:01:33,240 --> 00:01:35,940
‫and then you are going to manage the keys overall.

38
00:01:35,940 --> 00:01:37,710
‫So the IAM permissions are going to be used to

39
00:01:37,710 --> 00:01:39,751
‫do a create read update.

40
00:01:39,751 --> 00:01:43,920
‫A delete of a HSM cluster at a high level, but then

41
00:01:43,920 --> 00:01:46,721
‫you're going to use a CloudHSM software to manage the keys,

42
00:01:46,721 --> 00:01:49,470
‫and manage the users and their permissions to

43
00:01:49,470 --> 00:01:53,160
‫access the keys, which is different from KMS because in KMS

44
00:01:53,160 --> 00:01:55,950
‫well everything is managed using IAM.

45
00:01:55,950 --> 00:01:58,950
‫Now, the CloudHSM clusters can have high availability

46
00:01:58,950 --> 00:02:00,690
‫and they're spread across multiple AZ,

47
00:02:00,690 --> 00:02:03,480
‫so they're HA, and this is super important to understand.

48
00:02:03,480 --> 00:02:05,220
‫So, you're gonna have two AZs.

49
00:02:05,220 --> 00:02:07,536
‫One is going to be replicated from another

50
00:02:07,536 --> 00:02:10,920
‫and your HSM client can connect to either.

51
00:02:10,920 --> 00:02:13,890
‫So how do we transparently leverage CloudHSM

52
00:02:13,890 --> 00:02:16,620
‫within the AWS services encryption?

53
00:02:16,620 --> 00:02:20,160
‫Well, there is an integration between CloudHSM and KMS.

54
00:02:20,160 --> 00:02:20,993
‫How does that work?

55
00:02:20,993 --> 00:02:24,264
‫Well, in KMS, we're going to define a KMS custom key store

56
00:02:24,264 --> 00:02:26,008
‫and there will be CloudHSM.

57
00:02:26,008 --> 00:02:28,440
‫And that means we can get CloudHSM encryption

58
00:02:28,440 --> 00:02:31,195
‫for EBS, S3, RDS, and so on.

59
00:02:31,195 --> 00:02:32,190
‫So how does that work?

60
00:02:32,190 --> 00:02:33,981
‫Well, we create a CloudHSM cluster,

61
00:02:33,981 --> 00:02:37,140
‫and we define a KMS custom key store that is

62
00:02:37,140 --> 00:02:40,069
‫going to be connected to our CloudHSM cluster.

63
00:02:40,069 --> 00:02:43,230
‫From there, if we create an RDS database instance

64
00:02:43,230 --> 00:02:47,160
‫that has an encrypted EBS volume with KMS encryption,

65
00:02:47,160 --> 00:02:50,070
‫well internally this KMS encryption is going to

66
00:02:50,070 --> 00:02:53,905
‫be leveraging encryption keys within your CloudHSM cluster.

67
00:02:53,905 --> 00:02:55,826
‫The benefit of doing this is number one,

68
00:02:55,826 --> 00:02:58,161
‫we are actually using our CloudHSM cluster,

69
00:02:58,161 --> 00:03:01,860
‫and number two, any API calls made

70
00:03:01,860 --> 00:03:06,090
‫through KMS that reaches our CloudHSM cluster,

71
00:03:06,090 --> 00:03:09,360
‫is going to be logged in CloudTrail.

72
00:03:09,360 --> 00:03:11,850
‫So, if we compare CloudHSM and KMS,

73
00:03:11,850 --> 00:03:15,540
‫the tenancy of KMS is multi-tenants, whereas for CloudHSM

74
00:03:15,540 --> 00:03:18,450
‫it's single tenants, they both have the same standard.

75
00:03:18,450 --> 00:03:20,573
‫The master keys are of three kinds on KMS

76
00:03:20,573 --> 00:03:24,510
‫they're AWS owned, AWS managed, and customer managed CMK.

77
00:03:24,510 --> 00:03:27,960
‫Whereas for CloudHSM, it's only customer managed CMK,

78
00:03:27,960 --> 00:03:31,680
‫because AWS cannot access your HSM device.

79
00:03:31,680 --> 00:03:33,960
‫In terms of key type, it is very similar, symmetric,

80
00:03:33,960 --> 00:03:36,990
‫asymmetric, and digital signing for KMS. And symmetric,

81
00:03:36,990 --> 00:03:41,143
‫asymmetric, and digital sending and hashing for CloudHSM.

82
00:03:41,143 --> 00:03:44,070
‫The only thing that you need to note is that right now

83
00:03:44,070 --> 00:03:46,530
‫if you wanted to import an asymmetric key,

84
00:03:46,530 --> 00:03:48,780
‫you can only do it in CloudHSM.

85
00:03:48,780 --> 00:03:52,046
‫So, if you have an on-premises key management

86
00:03:52,046 --> 00:03:55,050
‫system that uses asymmetric keys, and you wanted to

87
00:03:55,050 --> 00:03:55,883
‫import it into AWS,

88
00:03:55,883 --> 00:03:59,350
‫the only option will be to use AWS CloudHSM.

89
00:03:59,350 --> 00:04:01,104
‫In terms of key accessibility

90
00:04:01,104 --> 00:04:04,321
‫well, KMS is accessible in multiple regions

91
00:04:04,321 --> 00:04:06,988
‫but, because CloudHSM is deployed in a VPC,

92
00:04:06,988 --> 00:04:10,680
‫you can share it across VPCs using VPC for sharing.

93
00:04:10,680 --> 00:04:11,985
‫And so that means that it's going to be accessible

94
00:04:11,985 --> 00:04:14,644
‫across multiple regions if you want it to.

95
00:04:14,644 --> 00:04:16,223
‫For cryptographic acceleration,

96
00:04:16,223 --> 00:04:17,612
‫well you can set up

97
00:04:17,612 --> 00:04:20,333
‫none on KMS, but with CloudHSM you have

98
00:04:20,333 --> 00:04:24,840
‫SSL and TLS acceleration you can use at your load level

99
00:04:24,840 --> 00:04:25,775
‫or you can use Oracle,

100
00:04:25,775 --> 00:04:29,130
‫and TDE acceleration as well for your database,

101
00:04:29,130 --> 00:04:30,540
‫that is Oracle based.

102
00:04:30,540 --> 00:04:31,770
‫For access in authentication,

103
00:04:31,770 --> 00:04:32,796
‫you have IAM for KMS,

104
00:04:32,796 --> 00:04:35,730
‫whereas CloudHSM has its own security mechanism to

105
00:04:35,730 --> 00:04:38,400
‫manage users and their permissions and their keys.

106
00:04:38,400 --> 00:04:40,049
‫And then finally, for high availability,

107
00:04:40,049 --> 00:04:43,225
‫well, KMS is a managed service and is always available.

108
00:04:43,225 --> 00:04:46,487
‫And CloudHSM will have multiple HSM devices

109
00:04:46,487 --> 00:04:49,050
‫over different availability zones.

110
00:04:49,050 --> 00:04:51,810
‫Other capability is CloudTrail and CloudWatch for KMS,

111
00:04:51,810 --> 00:04:55,142
‫whereas we have MFA support as well for CloudHSM.

112
00:04:55,142 --> 00:04:56,730
‫Finally, KMS is part

113
00:04:56,730 --> 00:04:59,580
‫of the free tier in AWS, whereas CloudHSM is not.

114
00:04:59,580 --> 00:05:00,839
‫So that's it for CloudHSM,

115
00:05:00,839 --> 00:05:01,807
‫I hope you liked it,

116
00:05:01,807 --> 00:05:03,963
‫and I will see you in the next lecture.