The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud.
AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for applications and data subject to rigorous contractual or regulatory requirements for managing cryptographic keys, additional protection is sometimes necessary. Until now, your only option was to store the sensitive data (or the encryption keys protecting the sensitive data) in your on-premise datacenters. Unfortunately, this either prevented you from migrating these applications to the cloud or significantly slowed their performance. The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.
The AWS CloudHSM service works with Amazon Virtual Private Cloud (VPC). CloudHSMs are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances. Placing CloudHSMs near your EC2 instances decreases network latency, which can improve application performance. AWS provides dedicated and exclusive access to CloudHSMs, isolated from other AWS customers. Available in multiple Regions and Availability Zones (AZs), AWS CloudHSM allows you to add secure and durable key storage to your Amazon EC2 applications.
As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.
By protecting your keys in hardware and preventing them from being accessed by third parties, AWS CloudHSM can help you comply with the most stringent regulatory and contractual requirements for key protection.
AWS CloudHSM is available in multiple AZs and Regions to help you build highly available applications that require strong key protection. You can also use AWS CloudHSM with your compatible on-premise HSMs to securely store keys in your datacenter. This increases key durability and gives you the flexibility to securely migrate keys in and out of AWS.
CloudHSMs are in your VPC, so it is easy to use them with your Amazon EC2 applications. You use standard Amazon VPC security mechanisms to control access to your CloudHSMs.
By placing CloudHSMs in your VPC near your EC2 instances, you can reduce network latency and increase the performance of your AWS applications that use HSMs.