Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Using AWS CloudHSM to Store Amazon RDS Oracle TDE Keys

You can use AWS CloudHSM with an Amazon RDS DB instance running Oracle Enterprise Edition to store keys when you use Oracle Transparent Data Encryption (TDE). AWS CloudHSM is a service that provides a hardware appliance called a hardware security module (HSM) that performs secure key storage and cryptographic operations. You enable an Amazon RDS DB instance to use AWS CloudHSM by setting up an HSM appliance, setting the proper permissions for cross-service access, and then setting up Amazon RDS and the DB instance that will use AWS CloudHSM.


Review the following availability and pricing information before you setup AWS CloudHSM:

  • Amazon RDS supports AWS CloudHSM for Oracle DB instances in the following regions: US East (N. Virginia), US West (Oregon), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), EU (Frankfurt), EU (Ireland).

  • AWS CloudHSM pricing and free trial:

    CloudHSM pricing information is available on the CloudHSM pricing page. If you want to try the CloudHSM service for free, please review the free trial page for more information.

  • CloudHSM upfront fee refund (API and CLI Tools):

    You are charged an upfront fee for each new AWS CloudHSM instance that you create by using the CreateHsm API operation or the create-hsm AWS CLI command. If you accidentally provision an HSM instance that you don't need, first delete the HSM instance by using the DeleteHsm API operation or the delete-hsm AWS CLI command. You can then request a refund of the upfront fee at the AWS Support Center, by creating a new case and choosing Account and Billing Support.

The number of Oracle databases you can support on a single CloudHSM partition will depend on the rotation schedule you choose for your data. You should rotate your keys as often as your data needs require. The PCI-DSS documentation and the National Institute of Standards and Technology (NIST) provide guidance on appropriate key rotation frequency. You can maintain approximately 10,000 symmetric master keys per CloudHSM device. Note that after key rotation the old master key remains on the partition and is still counted against the per-partition maximum.

AWS CloudHSM works with Amazon Virtual Private Cloud (Amazon VPC). An appliance is provisioned inside your VPC with a private IP address that you specify, providing simple and private network connectivity to your Amazon RDS DB instance. Your HSM appliances are dedicated exclusively to you and are isolated from other AWS customers. For more information, see Amazon Virtual Private Cloud (VPCs) and Amazon RDS and Creating a DB Instance in a VPC.

To use AWS CloudHSM with an Amazon RDS Oracle DB instance, you must complete the following tasks, which are explained in detail in the following sections:

When you complete the entire setup, you should have the following AWS components.

  • An AWS CloudHSM control instance that will communicate with the HSM appliance using port 22, and the AWS CloudHSM endpoint. The AWS CloudHSM control instance is an Amazon EC2 instance that is in the same VPC as the HSMs and is used to manage the HSMs.

  • An Amazon RDS Oracle DB instance that will communicate with the Amazon RDS service endpoint, as well as the HSM appliance using port 1792.

			CloudHSM-RDS network