AWS Security ChangesHomeSearch

AWS cloudhsm medium security documentation change

Service: cloudhsm · 2025-05-31 · Security-related medium

File: cloudhsm/latest/userguide/ki-all.md

Summary

Updated ECDSA hash strength requirements documentation and added bypass configuration warning

Security assessment

Documents security compliance with FIPS 186-5 requirements and adds explicit warning about insecure bypass option ('--enable-ecdsa-with-weak-hash-function') that could weaken cryptographic security if misused

Diff

diff --git a/cloudhsm/latest/userguide/ki-all.md b/cloudhsm/latest/userguide/ki-all.md
index f3688565f..cf136a2d9 100644
--- a//cloudhsm/latest/userguide/ki-all.md
+++ b//cloudhsm/latest/userguide/ki-all.md
@@ -153 +153 @@ This error is caused by an update to Instance Metadata Service Version 2 (IMDSv2
-  * **Impact:** ECDSA signing operations fail when using hash functions that are too weak compared to the key strength. This failure occurs because [FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) requires the hash function to be at least as strong as the key strength. 
+  * **Impact:** ECDSA signing operations fail when using hash functions that are weaker than the key strength. This failure occurs because [FIPS 186-5](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf) requires the hash function to be at least as strong as the key strength. 
@@ -160,0 +161,4 @@ You might see an error similar to this in your client logs:
+As an additional workaround, we have added a configuration option to bypass this requirement. Please note, this option is **not recommended** , as using ECDSA with weaker hash functions does not follow security best practices. To use this option, run the following command (replacing `configure-cli` with the configure tool for the SDK being used: [AWS CloudHSM Client SDK 5 configuration syntax](./configure-tool-syntax5.html)): 
+    
+        sudo /opt/cloudhsm/bin/configure-cli --enable-ecdsa-with-weak-hash-function
+