Will object replicate if it is encrypted object AWS HSM?
1 Answers
No I don’t think you can configure this because HSMs are Regional. You cannot extend an HSM cluster to be cross-regional so you would not be able to share the key material with a different CloudHSM cluster in another region. Instead you would do this across AZs in the same region.
https://docs.aws.amazon.com/cloudhsm/latest/userguide/regions.html
Load balancing and HA is on a regional basis and the HSM cluster can be distributed across multiple AZs but in the same region:
Load balancing and high availability
AWS CloudHSM automatically load balances requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster. This provides additional cryptographic capacity and improves the durability of the keys. By storing multiple copies of your keys across HSMs located in different Availability Zones (AZs), your keys will be available and protected in the event that a single HSM becomes unavailable. Using at least two HSMs across multiple AZs is Amazon’s recommended configuration for availability and durability. CloudHSM replicates key material among participating HSMs in the cluster.
https://aws.amazon.com/cloudhsm/features/
This is my interpretation anyway, does anyone else have a different take on this?
Regards
Faye
Likely a protection/feature to ensure the forced surrender of key material in one region by a government or entity cannot impact data encrypted in a separate region outside that entities jurisdiction.