AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2026-01-13 · Documentation low

File: cloudhsm/latest/userguide/openssl-provider-install.md

Summary

Replaced 'Configure OpenSSL to use the provider' section with 'Verify the installation', simplified verification steps, removed detailed configuration instructions for openssl.cnf, and updated environment variable placeholder

Security assessment

The changes simplify installation verification by replacing complex configuration steps with a direct command. While it removes guidance about avoiding system-wide OpenSSL configuration changes (which could prevent misconfiguration), there's no evidence of a specific security vulnerability being addressed. The update appears focused on usability rather than patching a security flaw.

Diff

diff --git a/cloudhsm/latest/userguide/openssl-provider-install.md b/cloudhsm/latest/userguide/openssl-provider-install.md
index 694892570..69390d70a 100644
--- a//cloudhsm/latest/userguide/openssl-provider-install.md
+++ b//cloudhsm/latest/userguide/openssl-provider-install.md
@@ -5 +5 @@
-RequirementsInstall the OpenSSL ProviderConfigure OpenSSL to use the provider
+RequirementsInstall the OpenSSL ProviderVerify the installation
@@ -91 +91 @@ You have installed the shared library for the OpenSSL Provider at `/opt/cloudhsm
-        $ export CLOUDHSM_PIN=<HSM user name>:<password>
+        $ export CLOUDHSM_PIN=<username>:<password>
@@ -98 +98 @@ You have installed the shared library for the OpenSSL Provider at `/opt/cloudhsm
-## Configure OpenSSL to use the provider
+## Verify the installation
@@ -100 +100 @@ You have installed the shared library for the OpenSSL Provider at `/opt/cloudhsm
-Configure OpenSSL to load the CloudHSM provider:
+Verify that the OpenSSL Provider is installed correctly:
@@ -102 +101,0 @@ Configure OpenSSL to load the CloudHSM provider:
-  1. Locate your OpenSSL configuration file:
@@ -104 +103 @@ Configure OpenSSL to load the CloudHSM provider:
-        $ openssl version -d
+    $ CLOUDHSM_PIN=<username>:<password> openssl list -providers -provider cloudhsm
@@ -106 +105 @@ Configure OpenSSL to load the CloudHSM provider:
-This shows the OPENSSLDIR, typically `/etc/pki/tls`. The configuration file is `openssl.cnf` in this directory.
+You should see output similar to:
@@ -108 +106,0 @@ This shows the OPENSSLDIR, typically `/etc/pki/tls`. The configuration file is `
-  2. ###### Note
@@ -110,31 +107,0 @@ This shows the OPENSSLDIR, typically `/etc/pki/tls`. The configuration file is `
-Do not modify your system's default openssl.cnf file directly. Instead, create a copy for use with the AWS CloudHSM OpenSSL Provider. This prevents system-wide OpenSSL operations (SSH, TLS connections, and other services) from unintentionally routing through the CloudHSM provider.
-
-Using a separate configuration file allows you to scope CloudHSM Provider usage to only specific applications that require HSM-backed cryptographic operations.
-
-Create your own copy of the OpenSSL configuration file:
-    
-        $ cp /etc/pki/tls/openssl.cnf example-cloudhsm-openssl.cnf
-
-Replace `/etc/pki/tls/openssl.cnf` with the path from the previous step if different.
-
-  3. Add or update the `[provider_sect]` section in your copied `example-cloudhsm-openssl.cnf` file:
-    
-        [provider_sect]
-    cloudhsm = cloudhsm_sect
-    default = default_sect
-
-  4. Add the CloudHSM provider section and ensure the default provider is activated:
-    
-        [default_sect]
-    activate = 1
-    
-    [cloudhsm_sect]
-    activate = 1
-
-  5. Set the OPENSSL_CONF environment variable to point to your updated configuration file and verify the provider is loaded:
-    
-        $ OPENSSL_CONF=/path/to/example-cloudhsm-openssl.cnf openssl list -providers
-
-You should see both the default provider and the CloudHSM provider listed:
-    
-        OPENSSL_CONF=/path/to/example-cloudhsm-openssl.cnf openssl list -providers
@@ -142,4 +108,0 @@ You should see both the default provider and the CloudHSM provider listed:
-      default
-        name: OpenSSL Default Provider
-        version: 3.2.2
-        status: active
@@ -150,3 +113,4 @@ You should see both the default provider and the CloudHSM provider listed:
-
-
-
+      default
+        name: OpenSSL Default Provider
+        version: 3.2.2
+        status: active