Adding or removing HSMs in an AWS CloudHSM cluster

To scale up or down your AWS CloudHSM cluster, add or remove HSMs by using the AWS CloudHSM console or one of the AWS SDKs or command line tools. We recommend load testing your cluster to determine the peak load you should anticipate, and then add one more HSM to it to ensure high availability.

Adding an HSM

The following figure illustrates the events that occur when you add an HSM to a cluster.

Animation showing the events that occur when you add an HSM to a cluster.

You add a new HSM to a cluster. The following procedures explain how to do this from the AWS CloudHSM console, the AWS Command Line Interface (CLI), and the AWS CloudHSM API.

This is the only action that you take. The remaining events occur automatically.
AWS CloudHSM makes a backup copy of an existing HSM in the cluster. For more information, see Backups.
AWS CloudHSM restores the backup onto the new HSM. This ensures that the HSM is in sync with the others in the cluster.
The existing HSMs in the cluster notify the AWS CloudHSM client that there's a new HSM in the cluster.
The client establishes a connection to the new HSM.

To add an HSM (console)

Open the AWS CloudHSM console at https://console.aws.amazon.com/cloudhsm/home.
Choose a cluster for the HSM that you are adding.
On the HSMs tab, choose Create HSM.
Choose an Availability Zone (AZ) for the HSM that you are creating. Then choose Create.

To add an HSM (CLI)

At a command prompt, issue the create-hsm command, specifying a cluster ID and an Availability Zone for the HSM that you are creating. If you don't know the cluster ID of your preferred cluster, issue the describe-clusters command. Specify the Availability Zone in the form of us-east-2a, us-east-2b, etc.


$ aws cloudhsmv2 create-hsm --cluster-id <cluster ID> --availability-zone <Availability Zone>
{
    "Hsm": {
        "State": "CREATE_IN_PROGRESS",
        "ClusterId": "cluster-5a73d5qzrdh",
        "HsmId": "hsm-lgavqitns2a",
        "SubnetId": "subnet-0e358c43",
        "AvailabilityZone": "us-east-2c",
        "EniId": "eni-bab18892",
        "EniIp": "10.0.3.10"
    }
}

To add an HSM (AWS CloudHSM API)

Send a CreateHsm request, specifying the cluster ID and an Availability Zone for the HSM that you are creating.

Removing an HSM

You can remove an HSM by using the AWS CloudHSM console, the CLI, or the AWS CloudHSM API.

To remove an HSM (console)

Open the AWS CloudHSM console at https://console.aws.amazon.com/cloudhsm/home.
Choose the cluster that contains the HSM that you are removing.
On the HSMs tab, choose the HSM that you are removing. Then choose Delete HSM.
Confirm that you want to delete the HSM. Then choose Delete.

To remove an HSM (CLI)

At a command prompt, issue the delete-hsm command. Pass the ID of the cluster that contains the HSM that you are deleting and one of the following HSM identifiers:
- The HSM ID (--hsm-id)
- The HSM IP address (--eni-ip)
- The HSM's elastic network interface ID (--eni-id)
If you don't know the values for these identifiers, issue the describe-clusters command.
```
$ aws cloudhsmv2 delete-hsm --cluster-id <cluster ID> --eni-ip <HSM IP address>
{
    "HsmId": "hsm-lgavqitns2a"
}
```

To remove an HSM (AWS CloudHSM API)

Send a DeleteHsm request, specifying the cluster ID and an identifier for the HSM that you are deleting.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Connecting to the cluster

Deleting a cluster