AWS CloudHSM V2

2024/06/28 - AWS CloudHSM V2 - 3 new 4 updated api methods

Changes  Added 3 new APIs to support backup sharing: GetResourcePolicy, PutResourcePolicy, and DeleteResourcePolicy. Added BackupArn to the output of the DescribeBackups API. Added support for BackupArn in the CreateCluster API.

PutResourcePolicy (new) Link ¶

Creates or updates an CloudHSM resource policy. A resource policy helps you to define the IAM entity (for example, an Amazon Web Services account) that can manage your CloudHSM resources. The following resources support CloudHSM resource policies:

  • Backup - The resource policy allows you to describe the backup and restore a cluster from the backup in another Amazon Web Services account.

In order to share a backup, it must be in a 'READY' state and you must own it.

Warning

While you can share a backup using the CloudHSM PutResourcePolicy operation, we recommend using Resource Access Manager (RAM) instead. Using RAM provides multiple benefits as it creates the policy for you, allows multiple resources to be shared at one time, and increases the discoverability of shared resources. If you use PutResourcePolicy and want consumers to be able to describe the backups you share with them, you must promote the backup to a standard RAM Resource Share using the RAM PromoteResourceShareCreatedFromPolicy API operation. For more information, see Working with shared backups in the CloudHSM User Guide

Cross-account use: No. You cannot perform this operation on an CloudHSM resource in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.put_resource_policy(
    ResourceArn='string',
    Policy='string'
)
type ResourceArn

string

param ResourceArn

Amazon Resource Name (ARN) of the resource to which you want to attach a policy.

type Policy

string

param Policy

The policy you want to associate with a resource.

For an example policy, see Working with shared backups in the CloudHSM User Guide

rtype

dict

returns

Response Syntax

{
    'ResourceArn': 'string',
    'Policy': 'string'
}

Response Structure

  • (dict) --

    • ResourceArn (string) --

      Amazon Resource Name (ARN) of the resource to which a policy is attached.

    • Policy (string) --

      The policy attached to a resource.

DeleteResourcePolicy (new) Link ¶

Deletes an CloudHSM resource policy. Deleting a resource policy will result in the resource being unshared and removed from any RAM resource shares. Deleting the resource policy attached to a backup will not impact any clusters created from that backup.

Cross-account use: No. You cannot perform this operation on an CloudHSM resource in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.delete_resource_policy(
    ResourceArn='string'
)
type ResourceArn

string

param ResourceArn

Amazon Resource Name (ARN) of the resource from which the policy will be removed.

rtype

dict

returns

Response Syntax

{
    'ResourceArn': 'string',
    'Policy': 'string'
}

Response Structure

  • (dict) --

    • ResourceArn (string) --

      Amazon Resource Name (ARN) of the resource from which the policy was deleted.

    • Policy (string) --

      The policy previously attached to the resource.

GetResourcePolicy (new) Link ¶

Retrieves the resource policy document attached to a given resource.

Cross-account use: No. You cannot perform this operation on an CloudHSM resource in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.get_resource_policy(
    ResourceArn='string'
)
type ResourceArn

string

param ResourceArn

Amazon Resource Name (ARN) of the resource to which a policy is attached.

rtype

dict

returns

Response Syntax

{
    'Policy': 'string'
}

Response Structure

  • (dict) --

    • Policy (string) --

      The policy attached to a resource.

DeleteBackup (updated) Link ¶
Changes (response) 
{'Backup': {'BackupArn': 'string'}}

Deletes a specified CloudHSM backup. A backup can be restored up to 7 days after the DeleteBackup request is made. For more information on restoring a backup, see RestoreBackup.

Cross-account use: No. You cannot perform this operation on an CloudHSM backup in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.delete_backup(
    BackupId='string'
)
type BackupId

string

param BackupId

[REQUIRED]

The ID of the backup to be deleted. To find the ID of a backup, use the DescribeBackups operation.

rtype

dict

returns

Response Syntax

{
    'Backup': {
        'BackupId': 'string',
        'BackupArn': 'string',
        'BackupState': 'CREATE_IN_PROGRESS'|'READY'|'DELETED'|'PENDING_DELETION',
        'ClusterId': 'string',
        'CreateTimestamp': datetime(2015, 1, 1),
        'CopyTimestamp': datetime(2015, 1, 1),
        'NeverExpires': True|False,
        'SourceRegion': 'string',
        'SourceBackup': 'string',
        'SourceCluster': 'string',
        'DeleteTimestamp': datetime(2015, 1, 1),
        'TagList': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'HsmType': 'string',
        'Mode': 'FIPS'|'NON_FIPS'
    }
}

Response Structure

  • (dict) --

    • Backup (dict) --

      Information on the Backup object deleted.

      • BackupId (string) --

        The identifier (ID) of the backup.

      • BackupArn (string) --

        The Amazon Resource Name (ARN) of the backup.

      • BackupState (string) --

        The state of the backup.

      • ClusterId (string) --

        The identifier (ID) of the cluster that was backed up.

      • CreateTimestamp (datetime) --

        The date and time when the backup was created.

      • CopyTimestamp (datetime) --

        The date and time when the backup was copied from a source backup.

      • NeverExpires (boolean) --

        Specifies whether the service should exempt a backup from the retention policy for the cluster. True exempts a backup from the retention policy. False means the service applies the backup retention policy defined at the cluster.

      • SourceRegion (string) --

        The AWS Region that contains the source backup from which the new backup was copied.

      • SourceBackup (string) --

        The identifier (ID) of the source backup from which the new backup was copied.

      • SourceCluster (string) --

        The identifier (ID) of the cluster containing the source backup from which the new backup was copied.

      • DeleteTimestamp (datetime) --

        The date and time when the backup will be permanently deleted.

      • TagList (list) --

        The list of tags for the backup.

        • (dict) --

          Contains a tag. A tag is a key-value pair.

          • Key (string) --

            The key of the tag.

          • Value (string) --

            The value of the tag.

      • HsmType (string) --

        The HSM type used to create the backup.

      • Mode (string) --

        The mode of the cluster that was backed up.

DescribeBackups (updated) Link ¶
Changes (request, response)
Request 
{'Shared': 'boolean'}
Response 
{'Backups': {'BackupArn': 'string'}}

Gets information about backups of CloudHSM clusters. Lists either the backups you own or the backups shared with you when the Shared parameter is true.

This is a paginated operation, which means that each response might contain only a subset of all the backups. When the response contains only a subset of backups, it includes a NextToken value. Use this value in a subsequent DescribeBackups request to get more backups. When you receive a response with no NextToken (or an empty or null value), that means there are no more backups to get.

Cross-account use: Yes. Customers can describe backups in other Amazon Web Services accounts that are shared with them.

See also: AWS API Documentation

Request Syntax

client.describe_backups(
    NextToken='string',
    MaxResults=123,
    Filters={
        'string': [
            'string',
        ]
    },
    Shared=True|False,
    SortAscending=True|False
)
type NextToken

string

param NextToken

The NextToken value that you received in the previous response. Use this value to get more backups.

type MaxResults

integer

param MaxResults

The maximum number of backups to return in the response. When there are more backups than the number you specify, the response contains a NextToken value.

type Filters

dict

param Filters

One or more filters to limit the items returned in the response.

Use the backupIds filter to return only the specified backups. Specify backups by their backup identifier (ID).

Use the sourceBackupIds filter to return only the backups created from a source backup. The sourceBackupID of a source backup is returned by the CopyBackupToRegion operation.

Use the clusterIds filter to return only the backups for the specified clusters. Specify clusters by their cluster identifier (ID).

Use the states filter to return only backups that match the specified state.

Use the neverExpires filter to return backups filtered by the value in the neverExpires parameter. True returns all backups exempt from the backup retention policy. False returns all backups with a backup retention policy defined at the cluster.

  • (string) --

    • (list) --

      • (string) --

type Shared

boolean

param Shared

Describe backups that are shared with you.

Note

By default when using this option, the command returns backups that have been shared using a standard Resource Access Manager resource share. In order for a backup that was shared using the PutResourcePolicy command to be returned, the share must be promoted to a standard resource share using the RAM PromoteResourceShareCreatedFromPolicy API operation. For more information about sharing backups, see Working with shared backups in the CloudHSM User Guide.

type SortAscending

boolean

param SortAscending

Designates whether or not to sort the return backups by ascending chronological order of generation.

rtype

dict

returns

Response Syntax

{
    'Backups': [
        {
            'BackupId': 'string',
            'BackupArn': 'string',
            'BackupState': 'CREATE_IN_PROGRESS'|'READY'|'DELETED'|'PENDING_DELETION',
            'ClusterId': 'string',
            'CreateTimestamp': datetime(2015, 1, 1),
            'CopyTimestamp': datetime(2015, 1, 1),
            'NeverExpires': True|False,
            'SourceRegion': 'string',
            'SourceBackup': 'string',
            'SourceCluster': 'string',
            'DeleteTimestamp': datetime(2015, 1, 1),
            'TagList': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'HsmType': 'string',
            'Mode': 'FIPS'|'NON_FIPS'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Backups (list) --

      A list of backups.

      • (dict) --

        Contains information about a backup of an CloudHSM cluster. All backup objects contain the BackupId , BackupState , ClusterId , and CreateTimestamp parameters. Backups that were copied into a destination region additionally contain the CopyTimestamp , SourceBackup , SourceCluster , and SourceRegion parameters. A backup that is pending deletion will include the DeleteTimestamp parameter.

        • BackupId (string) --

          The identifier (ID) of the backup.

        • BackupArn (string) --

          The Amazon Resource Name (ARN) of the backup.

        • BackupState (string) --

          The state of the backup.

        • ClusterId (string) --

          The identifier (ID) of the cluster that was backed up.

        • CreateTimestamp (datetime) --

          The date and time when the backup was created.

        • CopyTimestamp (datetime) --

          The date and time when the backup was copied from a source backup.

        • NeverExpires (boolean) --

          Specifies whether the service should exempt a backup from the retention policy for the cluster. True exempts a backup from the retention policy. False means the service applies the backup retention policy defined at the cluster.

        • SourceRegion (string) --

          The AWS Region that contains the source backup from which the new backup was copied.

        • SourceBackup (string) --

          The identifier (ID) of the source backup from which the new backup was copied.

        • SourceCluster (string) --

          The identifier (ID) of the cluster containing the source backup from which the new backup was copied.

        • DeleteTimestamp (datetime) --

          The date and time when the backup will be permanently deleted.

        • TagList (list) --

          The list of tags for the backup.

          • (dict) --

            Contains a tag. A tag is a key-value pair.

            • Key (string) --

              The key of the tag.

            • Value (string) --

              The value of the tag.

        • HsmType (string) --

          The HSM type used to create the backup.

        • Mode (string) --

          The mode of the cluster that was backed up.

    • NextToken (string) --

      An opaque string that indicates that the response contains only a subset of backups. Use this value in a subsequent DescribeBackups request to get more backups.

ModifyBackupAttributes (updated) Link ¶
Changes (response) 
{'Backup': {'BackupArn': 'string'}}

Modifies attributes for CloudHSM backup.

Cross-account use: No. You cannot perform this operation on an CloudHSM backup in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.modify_backup_attributes(
    BackupId='string',
    NeverExpires=True|False
)
type BackupId

string

param BackupId

[REQUIRED]

The identifier (ID) of the backup to modify. To find the ID of a backup, use the DescribeBackups operation.

type NeverExpires

boolean

param NeverExpires

[REQUIRED]

Specifies whether the service should exempt a backup from the retention policy for the cluster. True exempts a backup from the retention policy. False means the service applies the backup retention policy defined at the cluster.

rtype

dict

returns

Response Syntax

{
    'Backup': {
        'BackupId': 'string',
        'BackupArn': 'string',
        'BackupState': 'CREATE_IN_PROGRESS'|'READY'|'DELETED'|'PENDING_DELETION',
        'ClusterId': 'string',
        'CreateTimestamp': datetime(2015, 1, 1),
        'CopyTimestamp': datetime(2015, 1, 1),
        'NeverExpires': True|False,
        'SourceRegion': 'string',
        'SourceBackup': 'string',
        'SourceCluster': 'string',
        'DeleteTimestamp': datetime(2015, 1, 1),
        'TagList': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'HsmType': 'string',
        'Mode': 'FIPS'|'NON_FIPS'
    }
}

Response Structure

  • (dict) --

    • Backup (dict) --

      Contains information about a backup of an CloudHSM cluster. All backup objects contain the BackupId , BackupState , ClusterId , and CreateTimestamp parameters. Backups that were copied into a destination region additionally contain the CopyTimestamp , SourceBackup , SourceCluster , and SourceRegion parameters. A backup that is pending deletion will include the DeleteTimestamp parameter.

      • BackupId (string) --

        The identifier (ID) of the backup.

      • BackupArn (string) --

        The Amazon Resource Name (ARN) of the backup.

      • BackupState (string) --

        The state of the backup.

      • ClusterId (string) --

        The identifier (ID) of the cluster that was backed up.

      • CreateTimestamp (datetime) --

        The date and time when the backup was created.

      • CopyTimestamp (datetime) --

        The date and time when the backup was copied from a source backup.

      • NeverExpires (boolean) --

        Specifies whether the service should exempt a backup from the retention policy for the cluster. True exempts a backup from the retention policy. False means the service applies the backup retention policy defined at the cluster.

      • SourceRegion (string) --

        The AWS Region that contains the source backup from which the new backup was copied.

      • SourceBackup (string) --

        The identifier (ID) of the source backup from which the new backup was copied.

      • SourceCluster (string) --

        The identifier (ID) of the cluster containing the source backup from which the new backup was copied.

      • DeleteTimestamp (datetime) --

        The date and time when the backup will be permanently deleted.

      • TagList (list) --

        The list of tags for the backup.

        • (dict) --

          Contains a tag. A tag is a key-value pair.

          • Key (string) --

            The key of the tag.

          • Value (string) --

            The value of the tag.

      • HsmType (string) --

        The HSM type used to create the backup.

      • Mode (string) --

        The mode of the cluster that was backed up.

RestoreBackup (updated) Link ¶
Changes (response) 
{'Backup': {'BackupArn': 'string'}}

Restores a specified CloudHSM backup that is in the PENDING_DELETION state. For more information on deleting a backup, see DeleteBackup.

Cross-account use: No. You cannot perform this operation on an CloudHSM backup in a different Amazon Web Services account.

See also: AWS API Documentation

Request Syntax

client.restore_backup(
    BackupId='string'
)
type BackupId

string

param BackupId

[REQUIRED]

The ID of the backup to be restored. To find the ID of a backup, use the DescribeBackups operation.

rtype

dict

returns

Response Syntax

{
    'Backup': {
        'BackupId': 'string',
        'BackupArn': 'string',
        'BackupState': 'CREATE_IN_PROGRESS'|'READY'|'DELETED'|'PENDING_DELETION',
        'ClusterId': 'string',
        'CreateTimestamp': datetime(2015, 1, 1),
        'CopyTimestamp': datetime(2015, 1, 1),
        'NeverExpires': True|False,
        'SourceRegion': 'string',
        'SourceBackup': 'string',
        'SourceCluster': 'string',
        'DeleteTimestamp': datetime(2015, 1, 1),
        'TagList': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ],
        'HsmType': 'string',
        'Mode': 'FIPS'|'NON_FIPS'
    }
}

Response Structure

  • (dict) --

    • Backup (dict) --

      Information on the Backup object created.

      • BackupId (string) --

        The identifier (ID) of the backup.

      • BackupArn (string) --

        The Amazon Resource Name (ARN) of the backup.

      • BackupState (string) --

        The state of the backup.

      • ClusterId (string) --

        The identifier (ID) of the cluster that was backed up.

      • CreateTimestamp (datetime) --

        The date and time when the backup was created.

      • CopyTimestamp (datetime) --

        The date and time when the backup was copied from a source backup.

      • NeverExpires (boolean) --

        Specifies whether the service should exempt a backup from the retention policy for the cluster. True exempts a backup from the retention policy. False means the service applies the backup retention policy defined at the cluster.

      • SourceRegion (string) --

        The AWS Region that contains the source backup from which the new backup was copied.

      • SourceBackup (string) --

        The identifier (ID) of the source backup from which the new backup was copied.

      • SourceCluster (string) --

        The identifier (ID) of the cluster containing the source backup from which the new backup was copied.

      • DeleteTimestamp (datetime) --

        The date and time when the backup will be permanently deleted.

      • TagList (list) --

        The list of tags for the backup.

        • (dict) --

          Contains a tag. A tag is a key-value pair.

          • Key (string) --

            The key of the tag.

          • Value (string) --

            The value of the tag.

      • HsmType (string) --

        The HSM type used to create the backup.

      • Mode (string) --

        The mode of the cluster that was backed up.