Considerations for AWS CloudHSM VPC endpoints Creating an interface VPC endpoint for AWS CloudHSM Creating a VPC endpoint policy for AWS CloudHSM

AWS CloudHSM and VPC endpoints

You can establish a private connection between your VPC and AWS CloudHSM by creating an interface VPC endpoint. Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access AWS CloudHSM APIs without an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC don't need public IP addresses to communicate with AWS CloudHSM APIs. Traffic between your VPC and AWS CloudHSM does not leave the Amazon network.

Each interface endpoint is represented by one or more Elastic Network Interfaces in your subnets.

For more information, see Interface VPC endpoints (AWS PrivateLink) in the Amazon VPC User Guide.

Considerations for AWS CloudHSM VPC endpoints

Before you set up an interface VPC endpoint for AWS CloudHSM, ensure that you review Interface endpoint properties and limitations in the Amazon VPC User Guide.

AWS CloudHSM supports making calls to all of its API actions from your VPC.

Creating an interface VPC endpoint for AWS CloudHSM

You can create a VPC endpoint for the AWS CloudHSM service using either the Amazon VPC console or the AWS Command Line Interface (CLI). For more information, see Creating an interface endpoint in the Amazon VPC User Guide.

To create a VPC endpoint for AWS CloudHSM, use the following service name:


com.amazonaws.region.cloudhsmv2

For example, in the US West (Oregon) Region (us-west-2), the service name would be:


com.amazonaws.us-west-2.cloudhsmv2

To make it easier to use the VPC endpoint, you can enable a private DNS hostname for your VPC endpoint. If you select the Enable Private DNS Name option, the standard AWS CloudHSM DNS hostname (https://cloudhsmv2.<region>.amazonaws.com) resolves to your VPC endpoint.

This option makes it easier to use the VPC endpoint. The AWS SDKs and CLI use the standard AWS CloudHSM DNS hostname by default, so you do not need to specify the VPC endpoint URL in applications and commands.

For more information, see Accessing a service through an interface endpoint in the Amazon VPC User Guide.

Creating a VPC endpoint policy for AWS CloudHSM

You can attach an endpoint policy to your VPC endpoint that controls access to AWS CloudHSM. The policy specifies the following information:

The principal that can perform actions.
The actions that can be performed.
The resources on which actions can be performed.

For more information, see Controlling access to services with VPC endpoints in the Amazon VPC User Guide.

Example: VPC endpoint policy for AWS CloudHSM actions

The following is an example of an endpoint policy for AWS CloudHSM. When attached to an endpoint, this policy grants access to the listed AWS CloudHSM actions for all principals on all resources. See Identity and access management for AWS CloudHSM for other AWS CloudHSM actions and their corresponding IAM permissions.


{
   "Statement":[
      {
         "Principal":"*",
         "Effect":"Allow",
         "Action":[
            "cloudhsm:DescribeBackups",
            "cloudhsm:DescribeClusters",
            "cloudhsm:ListTags",
         ],
         "Resource":"*"
      }
   ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Infrastructure security

Update management