AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2025-08-13 · Documentation low

File: cloudhsm/latest/userguide/configure-tool-syntax5.md

Summary

Restructured configuration syntax documentation for multiple tools (PKCS #11, OpenSSL, KSP, JCE, CloudHSM CLI) with expanded parameter descriptions, added new options like certificate storage controls, retry modes, and SDK3 compatibility flags

Security assessment

Added documentation for security-related parameters including TLS mutual authentication (--client-cert-hsm-tls-file, --client-key-hsm-tls-file), certificate storage controls, and key validation flags. However, there is no explicit mention of addressing a specific vulnerability or security incident - these appear to be general documentation improvements for existing security features.

Diff

diff --git a/cloudhsm/latest/userguide/configure-tool-syntax5.md b/cloudhsm/latest/userguide/configure-tool-syntax5.md
index 85f438e74..2e7cba8ba 100644
--- a//cloudhsm/latest/userguide/configure-tool-syntax5.md
+++ b//cloudhsm/latest/userguide/configure-tool-syntax5.md
@@ -7 +7 @@
-The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 5.
+The following table illustrates the syntax for AWS CloudHSM configuration files for Client SDK 5. For more information about the parameters, see [AWS CloudHSM Client SDK 5 configuration parameters](./configure-tool-params5.html). 
@@ -13,24 +13,41 @@ PKCS #11
-    configure-pkcs11[ .exe ] 
-                 -a <ENI IP address>
-                 [--hsm-ca-cert <customerCA certificate file path>]
-                 [--cluster-id <cluster ID>]
-                 [--endpoint <endpoint>]
-                 [--region <region>] 
-                 [--client-cert-hsm-tls-file <client certificate hsm tls path>]
-                 [--client-key-hsm-tls-file <client key hsm tls path>]
-                 [--log-level <error | warn | info | debug | trace>]
-                      Default is <info>
-                 [--log-rotation <daily | weekly>]
-                      Default is <daily>
-                 [--log-file <file name with path>]
-                      Default is </opt/cloudhsm/run/cloudhsm-pkcs11.log>
-                      Default for Windows is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-pkcs11.log>
-                 [--log-type <file | term>]
-                      Default is <file>
-                 [-h | --help]
-                 [-V | --version]
-                 [--disable-key-availability-check]
-                 [--enable-key-availability-check]
-                 [--disable-validate-key-at-init]
-                 [--enable-validate-key-at-init]
-                      This is the default for PKCS #11
+    Usage: configure-pkcs11[ .exe ] [OPTIONS]
+    
+    Options:
+          --disable-certificate-storage
+              Disables Certificate Storage
+          --enable-certificate-storage
+              Enables Certificate Storage
+      -a <HSM ENI IP>...
+              The address of the HSM instance
+          --cluster-id <CLUSTER ID>
+              The id of the cluster containing the HSM instance(s)
+          --disable-key-availability-check
+              Disables key availability check during key use
+          --enable-key-availability-check
+              Enables key availability check during key use
+          --disable-validate-key-at-init
+              Disables parameter validation during initialization of crypto operations
+          --enable-validate-key-at-init
+              Enables parameter validation during initialization of crypto operations
+          --endpoint <ENDPOINT>
+              Specify the AWS CloudHSM API Endpoint
+          --region <REGION>
+              The region of the cluster
+          --hsm-ca-cert <HSM CA CERTIFICATE FILE>
+              The HSM CA certificate file
+          --log-type <LOG TYPE>
+              The log type [possible values: term, file]
+          --log-file <LOG FILE>
+              The log file
+          --log-level <LOG LEVEL>
+              The logging level [possible values: error, warn, info, debug, trace]
+          --log-rotation <LOG ROTATION>
+              The log rotation interval [possible values: never, hourly, daily]
+          --default-retry-mode <RETRY MODE>
+              The default method of retry to use for certain non-terminal failures [possible values: off, standard]
+          --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE>
+              The client certificate used for TLS client-hsm mutual authentication
+          --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE>
+              The client private key used for TLS client-hsm mutual authentication
+      -h, --help
+              Print help
@@ -42,19 +59,37 @@ OpenSSL
-    configure-dyn[ .exe ] 
-                 -a <ENI IP address>
-                 [--hsm-ca-cert <customerCA certificate file path>]
-                 [--cluster-id <cluster ID>]
-                 [--endpoint <endpoint>]
-                 [--region <region>] 
-                 [--client-cert-hsm-tls-file <client certificate hsm tls path>]
-                 [--client-key-hsm-tls-file <client key hsm tls path>]
-                 [--log-level <error | warn | info | debug | trace>]
-                      Default is <error>
-                 [--log-type <file | term>]
-                      Default is <term>
-                 [-h | --help]
-                 [-V | --version]
-                 [--disable-key-availability-check]
-                 [--enable-key-availability-check]
-                 [--disable-validate-key-at-init]
-                      This is the default for OpenSSL
-                 [--enable-validate-key-at-init]
+    Usage: configure-dyn[ .exe ] [OPTIONS]
+    
+    Options:
+      -a <HSM ENI IP>...
+              The address of the HSM instance
+          --cluster-id <CLUSTER ID>
+              The id of the cluster containing the HSM instance(s)
+          --disable-key-availability-check
+              Disables key availability check during key use
+          --enable-key-availability-check
+              Enables key availability check during key use
+          --disable-validate-key-at-init
+              Disables parameter validation during initialization of crypto operations
+          --enable-validate-key-at-init
+              Enables parameter validation during initialization of crypto operations
+          --endpoint <ENDPOINT>
+              Specify the AWS CloudHSM API Endpoint
+          --region <REGION>
+              The region of the cluster
+          --hsm-ca-cert <HSM CA CERTIFICATE FILE>
+              The HSM CA certificate file
+          --log-type <LOG TYPE>
+              The log type [possible values: term, file]
+          --log-file <LOG FILE>
+              The log file
+          --log-level <LOG LEVEL>
+              The logging level [possible values: error, warn, info, debug, trace]
+          --log-rotation <LOG ROTATION>
+              The log rotation interval [possible values: never, hourly, daily]
+          --default-retry-mode <RETRY MODE>
+              The default method of retry to use for certain non-terminal failures [possible values: off, standard]
+          --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE>
+              The client certificate used for TLS client-hsm mutual authentication
+          --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE>
+              The client private key used for TLS client-hsm mutual authentication
+      -h, --help
+              Print help
@@ -66,23 +101,45 @@ KSP
-    configure-ksp[ .exe ] 
-                 -a <ENI IP address>
-                 [--hsm-ca-cert <customerCA certificate file path>]
-                 [--cluster-id <cluster ID>]
-                 [--endpoint <endpoint>]
-                 [--region <region>] 
-                 [--client-cert-hsm-tls-file <client certificate hsm tls path>]
-                 [--client-key-hsm-tls-file <client key hsm tls path>]
-                 [--log-level <error | warn | info | debug | trace>]
-                      Default is <info>
-                 [--log-rotation <daily | weekly>]
-                      Default is <daily>
-                 [--log-file <file name with path>]
-                      Default is <C:\\Program Files\\Amazon\\CloudHSM\\cloudhsm-ksp.log>
-                 [--log-type <file | term>]
-                      Default is <file>
-                 [-h | --help]
-                 [-V | --version]
-                 [--disable-key-availability-check]
-                 [--enable-key-availability-check]
-                 [--disable-validate-key-at-init]
-                      This is the default for KSP
-                 [--enable-validate-key-at-init]
+    Usage: configure-ksp.exe [OPTIONS]
+    
+    Options:
+      -a <HSM ENI IP>...
+              The address of the HSM instance
+          --server-client-cert-file <CLIENT CERTIFICATE FILE>
+              The client certificate used for TLS client-server mutual authentication
+          --server-client-key-file <CLIENT KEY FILE>
+              The client private key used for TLS client-server mutual authentication
+          --cluster-id <CLUSTER ID>
+              The id of the cluster containing the HSM instance(s)
+          --disable-key-availability-check
+              Disables key availability check during key use
+          --enable-key-availability-check
+              Enables key availability check during key use
+          --disable-validate-key-at-init
+              Disables parameter validation during initialization of crypto operations
+          --enable-validate-key-at-init
+              Enables parameter validation during initialization of crypto operations
+          --endpoint <ENDPOINT>
+              Specify the AWS CloudHSM API Endpoint
+          --region <REGION>
+              The region of the cluster
+          --hsm-ca-cert <HSM CA CERTIFICATE FILE>
+              The HSM CA certificate file
+          --log-type <LOG TYPE>
+              The log type [possible values: term, file]
+          --log-file <LOG FILE>
+              The log file
+          --log-level <LOG LEVEL>
+              The logging level [possible values: error, warn, info, debug, trace]
+          --log-rotation <LOG ROTATION>
+              The log rotation interval [possible values: never, hourly, daily]
+          --default-retry-mode <RETRY MODE>
+              The default method of retry to use for certain non-terminal failures [possible values: off, standard]
+          --client-cert-hsm-tls-file <CLIENT CERTIFICATE HSM TLS FILE>
+              The client certificate used for TLS client-hsm mutual authentication
+          --client-key-hsm-tls-file <CLIENT KEY HSM TLS FILE>
+              The client private key used for TLS client-hsm mutual authentication
+          --enable-sdk3-compatibility-mode
+              Enables key file usage for KSP
+          --disable-sdk3-compatibility-mode
+              Disables key file usage for KSP
+      -h, --help
+              Print help
@@ -94,24 +151,37 @@ JCE