AWS Security Blog
AWS CloudHSM Is Now Integrated with Amazon RDS for Oracle and Provides Enhanced Management Tools
November 24, 2021: This blog post announced a feature of AWS CloudHSM Classic which integrated with Amazon RDS for Oracle to provide customers with an easy integration for Transparent Data Encryption (TDE). The AWS CloudHSM team have since released AWS CloudHSM, and this feature is no longer available. For updated options, please see out this blog post: https://thinkwithwp.com/blogs/security/architecting-for-database-encryption-on-aws/.
AWS CloudHSM is now integrated with Amazon RDS for Oracle. With this new capability, you can let AWS operate your Oracle databases while maintaining control of the master encryption keys. The AWS CloudHSM service helps you meet compliance requirements for data security by making dedicated, single-tenant Hardware Security Module (HSM) appliances available within the AWS cloud. This feature allows you to maintain control of the master encryption keys in CloudHSM instances when encrypting RDS databases with Oracle Transparent Data Encryption (TDE).
You now also can provision and manage CloudHSM deployments with our new API, SDK, and CLI Tools, which let you launch, terminate, and describe CloudHSM instances from within programs or by executing commands. The CLI Tools make HSM administration and management tasks easier, especially for high availability (HA) configurations. For example, the CLI Tools can help you configure HA groups that span multiple availability zones so that you can build resilient applications. In the unlikely event of a hardware failure, you can launch a new CloudHSM instance and replicate the keys to the new HSM with a few commands.
CloudHSM now also works with AWS CloudTrail, the AWS service that records API calls for your account and delivers log files to you. This feature can help with regulatory and compliance requirements for auditing and logging.
To learn more about CloudHSM for RDS Oracle TDE, please see the Oracle on Amazon RDS User Guide. You can also get started with or learn more about AWS CloudHSM.
– Ken