The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for applications and data subject to rigorous contractual or regulatory requirements for managing cryptographic keys, additional protection is sometimes necessary. Until now, your only option was to store the sensitive data (or the encryption keys protecting the sensitive data) in your on-premise datacenters. Unfortunately, this either prevented you from migrating these applications to the cloud or significantly slowed their performance. The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.
The AWS CloudHSM service works with Amazon Virtual Private Cloud (VPC). CloudHSMs are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances. Placing CloudHSMs near your EC2 instances decreases network latency, which can improve application performance. AWS provides dedicated and exclusive access to CloudHSMs, isolated from other AWS customers. Available in multiple Regions and Availability Zones (AZs), AWS CloudHSM allows you to add secure and durable key storage to your Amazon EC2 applications.
To sign up or to get more information, please click here.
With AWS CloudHSM you can:
Secure Key Storage — As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.
Contractual and Regulatory Compliance — By protecting your keys in hardware and preventing them from being accessed by third parties, AWS CloudHSM can help you comply with the most stringent regulatory and contractual requirements for key protection.
Reliable and Durable Key Storage — AWS CloudHSM is available in multiple AZs and Regions to help you build highly available applications that require strong key protection. You can also use AWS CloudHSM with your compatible on-premise HSMs to securely store keys in your datacenter. This increases key durability and gives you the flexibility to securely migrate keys in and out of AWS.
Simple and Secure Connectivity — CloudHSMs are in your VPC, so it is easy to use them with your Amazon EC2 applications. You use standard Amazon VPC security mechanisms to control access to your CloudHSMs.
Improve Application Performance — By placing CloudHSMs in your VPC near your EC2 instances, you can reduce network latency and increase the performance of your AWS applications that use HSMs.
You will be charged a one-time upfront fee for each CloudHSM provisioned to you and an hourly fee for each HSM while it remains provisioned and available for your use.
* Requests for up to two CloudHSM appliances can typically be satisfied within a few business days, but may take longer. Requests for more than two CloudHSM appliances may take longer.
** Amazon reserves the right to charge for network data transfers in and out of a CloudHSM that exceed 5000 GB per month at a rate of $.02 per GB.
You can use AWS CloudHSM to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), and Public Key Infrastructure (PKI) including authentication and authorization, document signing, and transaction processing. Please refer to the CloudHSM Getting Started Guide for a list of supported applications and links to detailed technical application notes that explain how configure your applications with CloudHSM. AWS CloudHSM currently utilizes Luna SA HSMs from SafeNet, Inc., a leader in data protection solutions. The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards, and supports a variety of industry standard cryptographic algorithms.
When you sign up for AWS CloudHSM, you receive dedicated single tenant access to CloudHSM appliances. Each appliance appears as a resource in your VPC. You, not AWS, initialize and manage the cryptographic domain of the CloudHSM. The cryptographic domain is a logical and physical security boundary that restricts access to your keys. This means that only you will control your keys and operations performed by the CloudHSM. Amazon administrators will manage, maintain, and monitor the health of the CloudHSM appliance, but do not have access to the cryptographic domain. After initializing the cryptographic domain, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the CloudHSM.
Your applications can use the standard APIs supported by the CloudHSM, such as PKCS#11, MS CAPI and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). Please see the AWS CloudHSM FAQ for a complete list of supported APIs. The CloudHSM client provides the APIs to your applications and implements each API call by connecting to the CloudHSM appliance using a mutually authenticated SSL connection.
CloudHSMs are in your VPC, so it is easy to use them with your EC2 applications. You use standard Amazon VPC security mechanisms to control access to your CloudHSMs. Your applications connect to the CloudHSM using a mutually authenticated SSL channel established by the HSM client software. Since CloudHSMs are located in Amazon datacenters near your EC2 instances, your applications have reduced network latency versus use of an on-premise HSM.
Separation of duties and role-based access control is inherent in the design of the CloudHSM. AWS has administrative credentials to the appliance, but these can only be used to manage and maintain the appliance, not the HSM partitions on the appliance. AWS monitors the health and network availability of CloudHSMs but is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks.
The HSM client software can load balance requests across two or more CloudHSMs that span AWS availability zones (AZs) and automatically and securely duplicate keys stored in any CloudHSM to all of the other participating CloudHSMs. This provides additional cryptographic capacity and improves durability of the keys. By storing multiple copies of your keys across CloudHSMs located in different AZs, your keys will be available and protected in the event that a single CloudHSM becomes unavailable. Using at least two CloudHSMs across multiple AZs is Amazon’s recommended configuration for availability and durability.
Cloud HSMs are compatible with SafeNet Luna SA HSM appliances. Using a combination of CloudHSMs within the cloud, and SafeNet Luna SA HSMs in your on-premise datacenter, you can securely replicate your cryptographic keys between the cloud and your datacenter. Additionally, by maintaining a copy of your cryptographic keys on-premise, you can increase durability and provide further assurance that you maintain control of your keys at all times.
AWS CloudHSM is currently available in multiple AZs in the US East (Northern Virginia), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) Regions.