The Appliance User (AU) is a user that exists on all HSMs and is used to carry out the cloning and synchronization actions of your HSMs. The AWS CloudHSM service itself calls upon the AU to ensure that the synchronization of your HSMs within your cluster is maintained.
From a permission perspective, the AU carries the same permissions as the CO. However, it is unable to change passwords, or add/remove any other users.
To conclude, let's quickly compare the user permissions of all the user types we just covered:
Operations |
Precrypto Office (PRECO) |
Crypto Office (CO) |
Crypto User (CU) |
Appliance User (AU) |
Obtain basic cluster information (number of HSMs in cluster, IP address, serial number, and so on |
No |
Yes |
Yes |
Yes |
Zeroize HSMs (delete keys, certificates, and data on the HSM) |
No |
Yes |
Yes |
Yes |
Change own password |
Yes |
Yes |
Yes |
Yes |
Change any user's password |
No |
Yes |
No |
No |
Add and remove users |
... |