Setting Up AWS CloudHSM to Work with Amazon RDS
To use AWS CloudHSM with an Oracle DB instance using TDE, you must first complete the tasks required to setup AWS CloudHSM. The tasks are explained in detail in the following sections.
Amazon RDS supports AWS CloudHSM for Oracle DB instances in the following regions: US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland).
Completing the AWS CloudHSM Prerequisites
Follow the procedure in the Setting Up AWS CloudHSM section in the AWS CloudHSM User Guide to setup a AWS CloudHSM environment.
Installing the AWS CloudHSM Command Line Interface Tools
Follow the instructions in the Setting Up the AWS CloudHSM CLI Tools section in the AWS CloudHSM User Guide to install the AWS CloudHSM command line interface tools on your AWS CloudHSM control instance.
Configuring Your HSMs
The recommended configuration for using AWS CloudHSM with Amazon RDS is to use three AWS CloudHSM appliances configured into a high-availability (HA) partition group. A minimum of three HSMs are suggested for HA purposes. Even if two of your HSMs are unavailable, your keys will still be available to Amazon RDS.
Initializing an HSM sets the password for the HSM security officer account (also known as the HSM administrator). Record the security officer password on your Password Worksheet and do not lose it. We recommend that you print out a copy of the Password Worksheet, use it to record your AWS CloudHSM passwords, and store it in a secure place. We also recommended that you store at least one copy of this worksheet in secure off-site storage. AWS does not have the ability to recover your key material from an HSM for which you do not have the proper HSM security officer credentials.
To provision and initialize your HSMs using the AWS CloudHSM CLI tools, perform the following steps from your control instance:
Following the instructions in Creating Your HSMs with the CLI, provision the number of HSMs you need for your configuration. When you provision your HSMs, make note of the ARN of each HSM because you will need these to initialize your HSMs and create your high-availability partition group.
Following the instructions in Initializing Your HSMs, initialize each of your HSMs.
Creating Your High-Availability Partition Group
After your HSMs are initialized, create an HA partition group with the initialized HSMs. Creating an HA partition group is a three-step process. You create the HA partition group, add your HSMs to the HA partition group, and register the clients for use with the HA partition group.
To create and initialize an HA partition group
Following the instructions in the Create the HA Partition Group section in the AWS CloudHSM Command Line Interface Tools Reference, create your HA partition group. Save the HA partition group ARN returned from the create-hapg command for later use.
Save the partition password on your Password Worksheet.
Following the instructions in Registering a Client with a High-Availability Partition Group, create, register, and assign the clients to use with your HA partition group.
Repeat this process to add additional partitions if necessary. One partition can support multiple Oracle databases.