Reverting to ccc3c1f

aws-samples · May 14, 2023 · dea52d8 · dea52d8
1 parent 2b04a93
commit dea52d8
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 117 deletions.
diff --git a/README.md b/README.md
@@ -77,13 +77,11 @@ You'll need to determine the VPC and subnet in which an EC2 client instance that
 
 #### 6. Determine whether or not you want to create a KMS custom key store
 
-By default, the template creates a CloudHSM cluster with the specified number of HSMs and an EC2 client to help you manage the cluster.
-
-If you plan on using KMS with your CloudHSM cluster, you can override the [`pStackScope`](#cloudformation-template-parameters) CloudFormation template parameter to specify that a KMS custom key store should be created. As a result, the custom key store will be connected to the CloudHSM cluster.
+By default, the template creates a KMS custom key store and connects it to the CloudHSM cluster. If you don't plan on using KMS with your CloudHSM cluster, you can override the [`pStackScope`](#cloudformation-template-parameters) CloudFormation template parameter to specify that only the CloudHSM cluster be created.
 
 ## Managing Security
 
-A security review has been performed on the CloudFormation templates contained in this repository. This solution assumes that CloudHSM cluster will be deployed and managed in the following manner:
+A security review has been performed on the CloudFormation templates contained in this repository. This solution assumes that CloudHSM clusters KMS custom key store will be deployed and managed in the following manner:
 - You specify a private subnet that does not support publicly addressable IP addresses to be used for the EC2 client instance
 - You stop (not terminate) the EC2 client instance once management has been completed so that it is normally in the `stopped` state
 - You power on the EC2 client instance to the `running` state when you need to manage the CloudHSM cluster via the EC2 client instance
@@ -104,7 +102,7 @@ The CloudFormation templates `cloudhsm.yaml` and `vpc.yaml` has been scanned by
 
 CloudHSM stack update operations do not generally support modification of stack parameters except for the AMI ID if an AMI ID was originally used to create the stack.
 
-Updating other parameters, for example, the number of HSMs, is not yet supported via CloudHSM stack updates.
+Updating other parameters, for example, the number of HSMs, is not supported via CloudHSM stack updates.
 
 ## Creating CloudFormation Stack
 
@@ -120,7 +118,7 @@ Use the [`cloudhsm.yaml`](cloudhsm.yaml) CloudFormation template to create a new
 |---------|--------|-----------|-------|---------------------------|
 |`pSystem`|Optional|Used as a prefix in the names of many of the newly created cloud resources. You normally do not need to override the default value.|`cloudhsm`|No|
 |`pEnvPurpose`|Optional|Identifies the purpose for this particular instance of the stack. Used as part of the prefix in the names of many of the newly created resources. Enables you to create and more easily distinguish resources of multiple stacks in the same AWS account. For example, `1`, `2`, `test1`, `test2`, etc.|`1`|No|
-|`pStackScope`|Optional|Scope of the stack to create:<br>`with-custom-key-store`: CloudHSM cluster + EC2 client instance + KMS custom key store<br>`cluster-and-client-only`: CloudHSM cluster + EC2 client instance|`cluster-and-client-only`|No|
+|`pStackScope`|Optional|Scope of the stack to create:<br>`with-custom-key-store`: CloudHSM cluster + EC2 client instance + KMS custom key store<br>`cluster-and-client-only`: CloudHSM cluster + EC2 client instance|`with-custom-key-store`|No|
 |`pVpcId`|Optional|The VPC in which the HSM Elastic Network Interfaces (ENIs) will be provisioned and in which the EC2 client instance will be deployed.|None|No|
 |`pNumHsms`|Optional|Number of HSMs to create in the CloudHSM cluster: `1`, `2`, or `3`. When using a KMS custom key store, a minimum of 2 HSMs is required.|`2`|No|
 |`pBackupRetentionDays`|Optional|Number of days to retain CloudHSM cluster backups. You may specify from `7` to `379` days.|`90`|No|
@@ -231,23 +229,9 @@ Access the EC2 console and select Network Interfaces to inspect the ENIs that we
 * A CloudHSM managed ENI should be present for each HSM
 * If you specified creation of a KMS custom key store, a KMS managed ENI should be present for each HSM
 
-#### Inspect CloudHSM via the CloudHSM SDK
-
-**CloudHSM SDK v5: Using CloudHSM CLI**
+#### Inspect CloudHSM via the CloudHSM Management Utility
 
-By default, the EC2 client instance has been configured with with the CloudHSM SDK v5 that includes the [CloudHSM Client CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli.html).
-
-Use AWS Systems Manager Session Manager to access a terminal session to the EC2 client instance. See [Monitoring EC2 client instance configuration](#monitoring-ec2-client-instance-configuration) for details.
-
-Once you're in the terminal session:
-
-1. Execute `$ /opt/cloudhsm/bin/cloudhsm-cli interactive`
-2. A subset of the [commands](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli-reference.html) can be executed before logging in. For example:
-  * `user list` - Lists the set of users.
-
-**CloudHSM SDK v3: Using the CloudHSM Management Utility (CMU)**
-
-If you opted to install v3 of the CloudHSM SDK, then the EC2 client instance has been configured with the [CloudHSM Management Utility (CMU)](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util.html) to support ongoing inspection and configuration of your cluster.  You can use the `cloudhsm_mgmt_util` CLI to execute the CMU.
+The EC2 client instance has been configured with the [CloudHSM Management Utility (CMU)](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util.html) to support ongoing inspection and configuration of your cluster.  You can use the `cloudhsm_mgmt_util` CLI to execute the CMU.
 
 Use AWS Systems Manager Session Manager to access a terminal session to the EC2 client instance. See [Monitoring EC2 client instance configuration](#monitoring-ec2-client-instance-configuration) for details.
 
@@ -278,46 +262,16 @@ After you've reviewed the cause of the error, you can proceed with deleting the
 
 As a security best practice, you should change the Crypto Officer (CO) password immediately after the stack is created. 
 
-**CloudHSM SDK v5: Using CloudHSM CLI**
-
-By default, the EC2 client instance has been configured with the CloudHSM SDK v5 that includes the [CloudHSM Client CLI](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_cli.html).
-
-Use AWS Systems Manager Session Manager to access a terminal session to the EC2 client instance. See [Monitoring EC2 client instance configuration](#monitoring-ec2-client-instance-configuration) for details.
-
-Once you're in the terminal session:
-
-1. Obtain the initial crypto officer (CO) password from Secrets Manager
-2. Execute `$ /opt/cloudhsm/bin/cloudhsm-cli interactive`
-3. At the `aws-cloudhsm >` prompt, log in via the CO user:  `login --username admin --role admin`
-4. Enter the initial password for the CO user that you obtained from Secrets Manager
-5. You should see a successful login
-6. Change the password `user change-password --username admin`
-7. Specify the password
-8. Enter `quit` to exit the CLI
-
-You should store the new password in your standard enterprise password vault.
-
-At this stage, you can optionally delete the secret from Secrets Manager given that the initial password is no longer needed for operation of the cluster.
-
-If you requested creation of a KMS custom key store, KMS has already changed the initial password for the `kmsuser` across the HSMs.
+You will use the [CloudHSM Management Utility](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util.html) from within the EC2 client instance to change the password.
 
-**CloudHSM SDK v3: Using the CloudHSM Management Utility (CMU)**
-
-If you opted to install v3 of the CloudHSM SDK, then the EC2 client instance has been configured with CloudHSM SDK v3 that includes the [CloudHSM Management Utility (CMU)](https://docs.aws.amazon.com/cloudhsm/latest/userguide/cloudhsm_mgmt_util.html) to support ongoing inspection and configuration of your cluster.  You can use the `cloudhsm_mgmt_util` CLI to execute the CMU.
-
-Use AWS Systems Manager Session Manager to access a terminal session to the EC2 client instance. See [Monitoring EC2 client instance configuration](#monitoring-ec2-client-instance-configuration) for details.
-
-Once you're in the terminal session:
-
-1. Obtain the initial crypto officer (CO) password from Secrets Manager
-2. Execute `$ /opt/cloudhsm/bin/cloudhsm_mgmt_util /opt/cloudhsm/etc/cloudhsm_mgmt_util.cfg`
-  * For each HSM, you should see a connection being established.
+1. Obtain the initial crypto office (CO) password from Secrets Manager
+2. Start the CMU CLI. See [Inspect CloudHSM via the CloudHSM Management Utility](#inspect-cloudhsm-via-the-cloudhsm-management-utility) for details on executing the CMU
 3. At the `aws-cloudhsm>` prompt, log in via the CO `admin` user:  `loginHSM CO admin -hpswd`
 4. Enter the initial password for the CO user that you obtained from Secrets Manager
 5. You should see a successful login for each HSH
 6. Change the password `changePswd CO admin -hpswd`
 7. Specify the password
-8. Enter `quit` to exit the CMU
+8. Enter `quit` to quit the CMU
 
 You should store the new password in your standard enterprise password vault.