AWS CloudHSM
User Guide

Launch an Amazon EC2 Client Instance

To interact with and manage your AWS CloudHSM cluster and HSM instances, you must be able to communicate with the elastic network interfaces of your HSMs. The easiest way to do this is to use an Amazon EC2 instance in the same VPC as your cluster (see below). You can also use the following AWS resources to connect to your cluster:

Launch an EC2 Client

The AWS CloudHSM documentation typically assumes that you are using an EC2 instance in the same VPC and Availability Zone (AZ) in which you create your cluster.

To create an Amazon EC2 client instance

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Choose Launch instance on the EC2 Dashboard.

  3. Select an Amazon Machine Image (AMI). Choose a Linux AMI or a Windows Server AMI.

    Note

    If you are using an AMI that uses Amazon Linux 2, see Known Issues for Amazon EC2 Instances Running Amazon Linux 2 for additional setup instructions.

  4. Choose an instance type and then choose Next: Configure Instance Details.

  5. For Network, choose the VPC that you previously created for your cluster.

  6. For Subnet, choose the public subnet that you created for the VPC.

  7. For Auto-assign Public IP, choose Enable.

  8. Choose Next: Add Storage and configure your storage.

  9. Choose Next: Add Tags and add any name–value pairs that you want to associate with the instance. We recommend that you at least add a name. Choose Add Tag and type a name for the Key and up to 255 characters for the Value.

  10. Choose Next: Configure Security Group.

  11. Select the default security group that was created for you when you created your cluster.

    Note

    To connect to a Windows Server EC2 instance, you must set one of your Inbound Rules to RDP(3389) to allow incoming TCP traffic on port 3389. To connect to a Linux EC2 instance, you must set one of your Inbound Rules to SSH(22) to allow incoming TCP traffic on port 22. Specify the source IP addresses that can connect to your instance. You should not specify 0.0.0.0/0 because that will open your instance to access by anyone.

    If you want your EC2 instance to be able to connect to the internet, set the Outbound Rules on your security group to allow ALL Traffic on all ports to a destination of 0.0.0.0/0.

    You cannot edit security groups on this page. To set inbound and outbound rules, create a new security group or use the Amazon EC2 console to update your security group rules.

  12. Choose Review and Launch.

  13. On the Review Instance Launch page, choose Launch.

  14. When prompted for a key pair, choose Create a new key pair, enter a name for the key pair, and then choose Download Key Pair. This is the only chance for you to save the private key file, so be sure to download it and store it in a safe place. You must provide the name of your key pair when you launch an instance and the corresponding private key each time that you connect to the instance. Then choose the key pair that you created when getting set up.

    Alternatively, you can use an existing key pair. Choose Choose an existing key pair, and then choose the desired key pair.

    Warning

    Don't choose Proceed without a key pair. If you launch your instance without a key pair, you won't be able to connect to it.

    When you are ready, select the acknowledgement check box, and then choose Launch Instances.

For more information about creating a Linux Amazon EC2 client, see Getting Started with Amazon EC2 Linux Instances. For information about connecting to the running client, see the following topics:

For more information about creating a Windows Amazon EC2 client, see Getting Started with Amazon EC2 Windows Instances. For more information about connecting to your Windows client, see Connect to Your Windows Instance.

Note that you can use your EC2 instance to run all of the AWS CLI commands contained in this guide. If the AWS CLI is not installed, you can download it from AWS Command Line Interface. If you are using Windows, you can download and run a 64-bit or 32-bit Windows installer. If you are using Linux or macOS, you can install the CLI using pip.

To communicate with the HSMs in your cluster, you must install the AWS CloudHSM client software on your instance. For more information if you are using Linux, see Install the Client (Linux). For more information if you are using Windows, see Install the Client (Windows).

On this page: