AWS Security ChangesHomeSearch

AWS cloudhsm medium security documentation change

Service: cloudhsm · 2025-04-28 · Security-related medium

File: cloudhsm/latest/userguide/cloudhsm_cli-multi-cluster-add-cluster.md

Summary

Renamed CLI parameters from server-client to client-hsm-tls and updated mutual authentication documentation to emphasize HSM trust anchor requirements

Security assessment

The changes clarify mutual TLS authentication between client and HSM, requiring trust anchor registration. This directly impacts secure communication configuration, making it security-related documentation. The parameter renaming and trust anchor requirements suggest enhanced security practices.

Diff

diff --git a/cloudhsm/latest/userguide/cloudhsm_cli-multi-cluster-add-cluster.md b/cloudhsm/latest/userguide/cloudhsm_cli-multi-cluster-add-cluster.md
index e480ba9b2..2ee646998 100644
--- a//cloudhsm/latest/userguide/cloudhsm_cli-multi-cluster-add-cluster.md
+++ b//cloudhsm/latest/userguide/cloudhsm_cli-multi-cluster-add-cluster.md
@@ -19,2 +19,2 @@ When connecting to multiple clusters, use the `configure-cli add-cluster` comman
-            [--server-client-cert-file <CLIENT CERTIFICATE FILE>]
-            [--server-client-key-file <CLIENT KEY FILE>]
+            [--client-cert-hsm-tls-file <CLIENT CERTIFICATE FILE>]
+            [--client-key-hsm-tls-file <CLIENT KEY FILE>]
@@ -95 +95 @@ Required: No
-**\--server-client-cert-file`<Client Certificate Filepath>`**
+**\--client-cert-hsm-tls-file`<client certificate hsm tls path>`**
@@ -98 +98 @@ Required: No
-Path to the client certificate used for TLS client-server mutual authentication. 
+Path to the client certificate used for TLS client-HSM mutual authentication. 
@@ -100 +100 @@ Path to the client certificate used for TLS client-server mutual authentication.
-Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with `--server-client-key-file`.
+Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-key-hsm-tls-file`. 
@@ -104 +104 @@ Required: No
-**\--server-client-key-file`<Client Key Filepath>`**
+**\--client-key-hsm-tls-file`<client key hsm tls path>`**
@@ -107 +107 @@ Required: No
-Path to the client key used for TLS client-server mutual authentication. 
+Path to the client key used for TLS client-HSM mutual authentication. 
@@ -109 +109 @@ Path to the client key used for TLS client-server mutual authentication.
-Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with `--server-client-cert-file`.
+Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-cert-hsm-tls-file`.