Known issues for AWS CloudHSM hsm2m.medium instances

Impact: Logging into hsm2m.medium follows overly strict interpretation of compliance requirements, which results in increased latency.

Resolution: If you created a new hsm2m.medium instance or migrated to hsm2m.medium from hsm1.medium before December 20th, 2025, you will need to reset your password to take advantage of performance improvements we have implemented for login operations. Refer to the change-password for instructions.

Impact: The hsm2m.medium HSM instance has improved fair share architecture which results in more consistent predictable performance compared to hsm1.medium. With hsm1.medium, customers may observe higher find key performance due to irregular use of HSM resources. However, hsm1.medium find key performance will decrease when the HSM instance is patched or updated with new firmware. This issue affects operations such as KeyStore.getKey() in JCE.

Resolution: This issue has been resolved. As best practice, cache the results from find key operations. Caching will reduce the total number of find key operations as it is a resource intensive operation in HSM. In addition, implement client-side retries with exponential backoff and jitter to reduce HSM throttling failures.

Impact: Any CO user attempting to set the trusted attribute of a key will receive an error indicating that User type should be CO or CU.

Resolution: Future versions of the Client SDK will resolve this issue. Updates will be announced in our user guide's Document history.

Impact: ECDSA verify operation performed for HSMs in FIPS mode will fail.

Resolution status: This issue has been resolved in the client SDK 5.13.0 release. You must upgrade to this client version or later to benefit from the fix.

Impact: Certificates in DER format cannot be registered as mTLS trust anchors with CloudHSM CLI.

Workaround: You can convert a certificate in DER format to PEM format with openssl command: openssl x509 -inform DER -outform PEM -in certificate.der -out certificate.pem

Impact: All operations performed by the application will be halted and the user will be prompted for the passphrase on standard input multiple times throughout the lifetime of application. Operations will timeout and fail if passphrase is not provided before the operation's timeout duration.

Workaround: Passphrase encrypted private keys are not supported for mTLS. Remove passphrase encryption from client private key

Impact: User replication fails on hsm2m.medium instances when using the CloudHSM CLI. The user replicate command works as expected on hsm1.medium instances.

Resolution: This issue has been resolved.

Impact: Operations like generating random numbers can fail on hsm2m.medium instances while AWS CloudHSM creates a backup.

Resolution: To minimize service interruptions, implement these best practices:

For more information about best practices, see Best practices for AWS CloudHSM.

Impact: Client SDK 5.8 and above will not retry some HSM throttled operations

Workaround: Follow best practices to architect your cluster to handle load and implement application level retries. We are currently working on a fix. Updates will be announced in our user guide's Document history.

Resolution status: This issue has been resolved in the AWS CloudHSM Client SDK 5.16.2. You must upgrade to this client version or later to benefit from the fix.