Create a cluster in AWS CloudHSM
A cluster is a collection of individual hardware security modules (HSMs). AWS CloudHSM synchronizes
the HSMs in each cluster so that they function as a logical unit. AWS CloudHSM offers two types of
HSMs: hsm1.medium and hsm2m.medium. When you
create a cluster, you choose which of the two will be in your cluster. For details on the
differences between each HSM type and cluster mode, see AWS CloudHSM cluster modes.
When you create a cluster, AWS CloudHSM creates a security group for the cluster on your behalf.
This security group controls network access to the HSMs in the cluster. It allows inbound
connections only from Amazon Elastic Compute Cloud (Amazon EC2) instances that are in the security group. By
default, the security group doesn't contain any instances. Later, you launch a client instance and configure the cluster's security group to allow
communication and connections with the HSM.
You can create a cluster from the AWS CloudHSM
console, the AWS Command Line Interface (AWS CLI), or the
AWS CloudHSM API.
For details on cluster arguments and APIs, see create-cluster in the AWS CLI Command Reference.
- Console
To create a cluster (console)
Open the AWS CloudHSM console at
https://console.aws.amazon.com/cloudhsm/home.
-
On the navigation bar, use the region selector to choose one of the AWS Regions where AWS CloudHSM is currently
supported.
-
Choose Create cluster.
-
In the Cluster configuration section, do the
following:
-
For VPC, select the VPC that you created in Create a virtual private cloud (VPC) for AWS CloudHSM.
-
For Availability Zone(s), next to each Availability Zone, choose the
private subnet that you created.
Even if AWS CloudHSM is not supported in a given Availability Zone,
performance should not be affected, as AWS CloudHSM automatically load balances
across all HSMs in a cluster. See AWS CloudHSM Regions and
Endpoints in the AWS General Reference to see
Availability Zone support for AWS CloudHSM.
-
For HSM type, select the HSM type that can be created in your cluster along with the desired mode of the cluster. To see what HSM types are supported in each region, see the
AWS CloudHSM pricing calculator.
After the cluster is created, the HSM type and cluster mode cannot be changed. For information one which type and mode is right for your use case,
see AWS CloudHSM cluster modes.
-
For Cluster source, specify whether you want to create a new cluster or restore one from an existing backup.
-
Choose Next.
-
Specify how long the service should retain backups.
Accept the default retention period of 90 days or type a new value between 7 and
379 days. The service will automatically delete backups in this cluster older than
the value you specify here. You can change this later. For more information, see
Configure backup retention.
-
Choose Next.
-
(Optional) Type a tag key and an optional tag value. To add more than one tag to the
cluster, choose Add tag.
-
Choose Review.
-
Review your cluster configuration, and then choose Create
cluster.
If your attempts to create a cluster fail, it might be related to problems
with the AWS CloudHSM service-linked roles. For help on resolving the failure, see
Resolving AWS CloudHSM cluster creation
failures.
- AWS CLI
To create a cluster (AWS CLI)
-
At a command prompt, run the create-cluster command. Specify the HSM instance type, the
backup retention period, and the subnet IDs of the subnets where you plan to create
HSMs. Use the subnet IDs of the private subnets that you created. Specify only one
subnet per Availability Zone.
$
aws cloudhsmv2 create-cluster --hsm-type hsm1.medium \
--backup-retention-policy Type=DAYS,Value=<number of days>
\
--subnet-ids <subnet ID>
\
--mode FIPS
{
"Cluster": {
"BackupPolicy": "DEFAULT",
"BackupRetentionPolicy": {
"Type": "DAYS",
"Value": 90
},
"VpcId": "vpc-50ae0636",
"SubnetMapping": {
"us-west-2b": "subnet-49a1bc00",
"us-west-2c": "subnet-6f950334",
"us-west-2a": "subnet-fd54af9b"
},
"SecurityGroup": "sg-6cb2c216",
"HsmType": "hsm1.medium",
"Certificates": {},
"State": "CREATE_IN_PROGRESS",
"Hsms": [],
"ClusterId": "cluster-igklspoyj5v",
"ClusterMode": "FIPS",
"CreateTimestamp": 1502423370.069
}
}
ClusterMode
is a required parameter for all hsm types except hsm1.medium.--mode
:
$
aws cloudhsmv2 create-cluster --hsm-type hsm2m.medium \
--backup-retention-policy Type=DAYS,Value=<number of days>
\
--subnet-ids <subnet ID>
\
--mode NON_FIPS
If your attempts to create a cluster fail, it might be related to problems
with the AWS CloudHSM service-linked roles. For help on resolving the failure, see
Resolving AWS CloudHSM cluster creation
failures.
- AWS CloudHSM API
To create a cluster (AWS CloudHSM API)
-
Send a CreateCluster request. Specify the HSM instance type,
the backup retention policy, and the subnet IDs of the subnets where you plan to
create HSMs. Use the subnet IDs of the private subnets that you created. Specify
only one subnet per Availability Zone.
If your attempts to create a cluster fail, it might be related to problems
with the AWS CloudHSM service-linked roles. For help on resolving the failure, see
Resolving AWS CloudHSM cluster creation
failures.