Overview:
AWS CloudHSM has introduced a new instance type, hsm2m.medium, which is intended to provide enhanced security compliance aligned with FIPS 140-3 standards. However, organizations using this instance type are reporting significant increases in authentication latency, particularly during periods of high concurrency when multiple clients authenticate simultaneously.
Vault's highly available nature requires that backing HSMs support multiple concurrent client requests. Customers currently using CloudHSM v1 should proactively contact AWS Support and request to postpone their upgrade to CloudHSM v2.
Additional Details:
AWS CloudHSM’s new instance type, hsm2m.medium, introduces significant latency during authentication requests. The increase in latency is particularly severe when multiple clients attempt to authenticate to the HSM simultaneously, as documented by AWS on their known issues page.
AWS is aware of the impact of this change on Vault Enterprise clusters and has recommended that affected customers open a Sev-1 case with AWS Support and request a rollback of their CloudHSM instances to the previous hsm1m.medium type (mentioning the known issue of increased authentication latency) or follow the rollback process as documented here.
Note that the hsm1m.medium instance type is compliant only with FIPS 140-2, not FIPS 140-3. AWS is working on performance improvements for hsm2m.medium with its hardware partner, though there is yet no committed timeframe for these improvements to be rolled out.
Customers currently on CloudHSM v1 who have not yet migrated to v2 should proactively reach out to AWS Support and request to postpone the upgrade to version 2. This can help avoid performance degradation until the latency issue with the hsm2m.medium instance type is resolved.