The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.

AWS and AWS Marketplace partners offer a variety of solutions for protecting sensitive data within the AWS platform, but for applications and data subject to rigorous contractual or regulatory requirements for managing cryptographic keys, additional protection is sometimes necessary. Until now, your only option was to store the sensitive data (or the encryption keys protecting the sensitive data) in your on-premises datacenters. Unfortunately, this either prevented you from migrating these applications to the cloud or significantly slowed their performance. The AWS CloudHSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management. You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. AWS CloudHSM helps you comply with strict key management requirements without sacrificing application performance.

The AWS CloudHSM service works with Amazon Virtual Private Cloud (VPC). CloudHSM instances are provisioned inside your VPC with an IP address that you specify, providing simple and private network connectivity to your Amazon Elastic Compute Cloud (EC2) instances. Placing CloudHSM instances near your EC2 instances decreases network latency, which can improve application performance. AWS provides dedicated and exclusive (single tenant) access to CloudHSM instances, isolated from other AWS customers. Available in multiple Regions and Availability Zones (AZs), AWS CloudHSM allows you to add secure and durable key storage to your applications.

As part of the service, you have dedicated access to HSM capabilities in the cloud. AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. You retain full control of your keys and cryptographic operations on the HSM, while Amazon manages and maintains the hardware without having access to your keys.

By protecting your keys in hardware and preventing them from being accessed by third parties, AWS CloudHSM can help you comply with the most stringent regulatory and contractual requirements for key protection.

The CloudHSM API, Command Line Interface (CLI) Tools, and SDK let you start and stop dedicated CloudHSM instances whenever you want.

AWS CloudHSM is available in multiple Regions and Availability Zones (AZs) to help you build highly available applications that require strong key protection. The CloudHSM Command Line Interface (CLI) Tools can help can help you configure high availability (HA) groups that span multiple availability zones, so you can build resilient applications. In the unlikely event of a hardware failure, you can launch a new CloudHSM instance and replicate the keys to the new HSM with a few commands. You can also use AWS CloudHSM with your compatible on-premises HSMs to securely store keys in your datacenter. This increases key durability and gives you the flexibility to securely migrate keys in and out of AWS.

CloudHSM instances are in your VPC, so it is easy to use them with your Amazon EC2 applications. You use standard Amazon VPC security mechanisms to control access to CloudHSM instances.

By placing CloudHSM instances in your VPC near your EC2 instances, you can reduce network latency and increase the performance of your AWS applications that use HSMs.

You can use CloudHSM with Amazon Redshift, Amazon Relational Database Service (RDS) Oracle, or third party applications such as SafeNet ProtectV volume encryption for EBS, Apache (SSL termination), or Microsoft SQL Server (transparent data encryption). You can also use CloudHSM when writing your own applications and continue to use the standard cryptographic libraries you’re familiar with, including PKCS#11, Java JCA/JCE, and Microsoft CAPI and CNG.

If you need to track resource changes, or audit activities for security and compliance purposes, you can review all of the CloudHSM API calls made from your account through CloudTrail. Additionally, you can audit operations on the HSM appliance using syslog or send syslog log messages to your own collector.