AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2025-04-28 · Documentation medium

File: cloudhsm/latest/userguide/pkcs11-multi-slot-add-cluster.md

Summary

Replaced --server-client-cert-file and --server-client-key-file with new parameters requiring trust anchor registration for HSM TLS mutual authentication.

Security assessment

Updated parameters enforce mutual TLS authentication with HSM using trust anchors, enhancing security practices. However, no explicit security vulnerability is mentioned as being addressed.

Diff

diff --git a/cloudhsm/latest/userguide/pkcs11-multi-slot-add-cluster.md b/cloudhsm/latest/userguide/pkcs11-multi-slot-add-cluster.md
index 77a4a939c..3e83cec4d 100644
--- a//cloudhsm/latest/userguide/pkcs11-multi-slot-add-cluster.md
+++ b//cloudhsm/latest/userguide/pkcs11-multi-slot-add-cluster.md
@@ -19,2 +19,2 @@ When [connecting to multiple slots with PKCS #11](./pkcs11-library-configs-multi
-            [--server-client-cert-file <CLIENT CERTIFICATE FILE>]
-            [--server-client-key-file <CLIENT KEY FILE>]
+            [--client-cert-hsm-tls-file <CLIENT CERTIFICATE FILE>]
+            [--client-key-hsm-tls-file <CLIENT KEY FILE>]
@@ -37 +37 @@ Windows
-    C:\Program Files\Amazon\CloudHSM\> .\configure-pkcs11.exe add-cluster --cluster-id <cluster-1234567>
+    C:\Program Files\Amazon\CloudHSM\bin> .\configure-pkcs11.exe add-cluster --cluster-id <cluster-1234567>
@@ -56 +56 @@ Windows
-            C:\Program Files\Amazon\CloudHSM\> .\configure-pkcs11.exe add-cluster --cluster-id <cluster-1234567>--region <us-east-1> --endpoint <https://cloudhsmv2.us-east-1.amazonaws.com>
+            C:\Program Files\Amazon\CloudHSM\bin> .\configure-pkcs11.exe add-cluster --cluster-id <cluster-1234567>--region <us-east-1> --endpoint <https://cloudhsmv2.us-east-1.amazonaws.com>
@@ -97 +97 @@ Required: No
-**\--server-client-cert-file`<Client Certificate Filepath>`**
+**\--client-cert-hsm-tls-file`<client certificate hsm tls path>`**
@@ -100 +100 @@ Required: No
-Path to the client certificate used for TLS client-server mutual authentication. 
+Path to the client certificate used for TLS client-HSM mutual authentication. 
@@ -102 +102 @@ Path to the client certificate used for TLS client-server mutual authentication.
-Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with `--server-client-key-file`. 
+Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-key-hsm-tls-file`. 
@@ -106 +106 @@ Required: No
-**\--server-client-key-file`<Client Key Filepath>`**
+**\--client-key-hsm-tls-file`<client key hsm tls path>`**
@@ -109 +109 @@ Required: No
-Path to the client key used for TLS client-server mutual authentication. 
+Path to the client key used for TLS client-HSM mutual authentication. 
@@ -111 +111 @@ Path to the client key used for TLS client-server mutual authentication.
-Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with `--server-client-cert-file`. 
+Only use this option if you have registered at least one trust anchor onto HSM with CloudHSM CLI. You must set this option in combination with `--client-cert-hsm-tls-file`.