Cloud HSM is highly available (clustered) but then the next slide says "customer managed durability and availability". Can you please clarify?
1 Answers
It’s possible the 2nd slide is still based on the "classic" CloudHSM, which was not clustered and it was blatantly not HA, but there are still some differences in the availability/configuration of an HA solution:
with a clustered CloudHSM, you will need to make sure you configure it with subnets in each AZ in the region to survive AZ failure
KMS should survive AZ failure without your application noticing, as it’s a region level API service
even with clustered CloudHSM, if you need to survive a region failure, you will need to architect and build secondary CloudHSM clusters in different regions
KMS is available in all regions (unless you need asymmetric keys, and China has some differences), so you don’t have to make sure you’re building out infrastructure in secondary regions (though you’ll still need to do some coding for a multiregion solution https://aws.amazon.com/blogs/security/how-to-use-the-new-aws-encryption-sdk-to-simplify-data-encryption-and-improve-application-availability/ )
At least, that’s my interpretation of the slides and discussion. Hope this helps.