How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role the new IAM user.
Use AWS Single Sign-On to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
Explanations:
AWS Resource Access Manager (AWS RAM) can be used to share VPC resources like subnets across accounts. Sharing the subnet where the CloudHSM is located allows instances in the new account to connect to the HSM via the shared network.
IAM roles cannot directly provide access to CloudHSM resources, as HSMs do not use IAM for authorization. HSM access requires network connectivity and client-side configuration within the VPC.
AWS STS tokens and AWS Single Sign-On do not facilitate direct network access to CloudHSM resources, which requires network-level sharing, not identity-based access.
AWS RAM does not support direct sharing of CloudHSM resources themselves. Instead, network components like subnets must be shared to allow access to the CloudHSM cluster hosted in a central account.
As far as I’m aware, the answer is:
Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.