AWS Security ChangesHomeSearch

AWS cloudhsm documentation change

Service: cloudhsm · 2026-02-13 · Documentation low

File: cloudhsm/latest/userguide/ki-hsm2m-medium.md

Summary

Added new issue about HSM connection initialization failures during cold starts and provided resolution guidance

Security assessment

Documents a reliability/performance issue with connection initialization, but contains no evidence of security vulnerability or weakness. The resolution focuses on deployment best practices rather than security controls.

Diff

diff --git a/cloudhsm/latest/userguide/ki-hsm2m-medium.md b/cloudhsm/latest/userguide/ki-hsm2m-medium.md
index fb013b91c..6c94a0376 100644
--- a//cloudhsm/latest/userguide/ki-hsm2m-medium.md
+++ b//cloudhsm/latest/userguide/ki-hsm2m-medium.md
@@ -5 +5 @@
-Issue: Increased login latency on hsm2m.mediumIssue: Increased find key latency on hsm2m.mediumIssue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlierIssue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS modeIssue: Only the PEM-formatted certificates can be registered as mtls trust anchors with CloudHSM CLIIssue: Customer applications will stop processing all requests when using mTLS with a passphrase protected client private key.Issue: User replicate fails when using the CloudHSM CLIIssue: Operations can fail during backup creationIssue: Client SDK 5.8 and above do not perform automatic retries for HSM throttled operations in some scenarios on hsm2m.mediumIssue: AES/CBC unwrap operations with all zero IV fails on hsm2m.medium
+Issue: Increased login latency on hsm2m.mediumIssue: Increased find key latency on hsm2m.mediumIssue: A CO using trying to set the trusted attribute of a key will fail with Client SDK 5.12.0 and earlierIssue: ECDSA verify will fail with Client SDK 5.12.0 and earlier for clusters in FIPS modeIssue: Only the PEM-formatted certificates can be registered as mtls trust anchors with CloudHSM CLIIssue: Customer applications will stop processing all requests when using mTLS with a passphrase protected client private key.Issue: User replicate fails when using the CloudHSM CLIIssue: Operations can fail during backup creationIssue: Client SDK 5.8 and above do not perform automatic retries for HSM throttled operations in some scenarios on hsm2m.mediumIssue: AES/CBC unwrap operations with all zero IV fails on hsm2m.mediumIssue: Failure to initialize HSM connection during application cold starts on hsm2m.medium
@@ -32,0 +33,2 @@ The following issues impact all AWS CloudHSM hsm2m.medium instances.
+  * Issue: Failure to initialize HSM connection during application cold starts on hsm2m.medium
+
@@ -133,0 +136,9 @@ For more information about best practices, see [Best practices for AWS CloudHSM]
+## Issue: Failure to initialize HSM connection during application cold starts on hsm2m.medium
+
+  * **Impact:** This issue affects cold starts such as client application deployments or restarts. The hsm2m.medium HSM instance has improved fair share architecture which ensures more consistent performance, throughput, and latency for all customers. At present on hsm1.medium, you may observe higher than intended performance for concurrent HSM connection initialization. However, hsm1.medium connection initialization performance will vary based on underlying system updates.
+
+  * **Resolution:** Follow [best practices](./bp-application-integration.html#bp-stagger-deployment) and stagger client application deployments and restarts to limit the amount of client applications initializing HSM connections concurrently. We also recommend that you implement application level retries for client application initialization. In addition, bootstrap using configure tool with `--cluster-id <cluster ID>` to add all HSM IP's to the client configuration file.
+
+
+
+