With AWS CloudHSM you can:

  • Protect and store your cryptographic keys with industry standard, tamper-resistant HSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).
  • Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.
  • Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.
  • Use AWS CloudHSM in conjunction with your compatible on-premise HSMs to replicate keys among on-premise HSMs and CloudHSMs. This increases key durability and makes it easy to migrate cryptographic applications from your datacenter to AWS.

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

Receive twelve months of access to the AWS Free Usage Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.

You can use AWS CloudHSM to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), and Public Key Infrastructure (PKI) including authentication and authorization, document signing, and transaction processing. AWS CloudHSM currently utilizes Luna SA HSMs from SafeNet, Inc., a leader in data protection solutions. The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards, and supports a variety of industry standard cryptographic algorithms.

When you sign up for AWS CloudHSM, you receive dedicated single tenant access to CloudHSM appliances. Each appliance appears as a resource in your VPC. You, not AWS, initialize and manage the cryptographic domain of the CloudHSM. The cryptographic domain is a logical and physical security boundary that restricts access to your keys. This means that only you will control your keys and operations performed by the CloudHSM. Amazon administrators will manage, maintain, and monitor the health of the CloudHSM appliance, but do not have access to the cryptographic domain. After initializing the cryptographic domain, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the CloudHSM.

Your applications can use the standard APIs supported by the CloudHSM, such as PKCS#11, MS CAPI and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). Please see the AWS CloudHSM FAQ for a complete list of supported APIs. The CloudHSM client provides the APIs to your applications and implements each API call by connecting to the CloudHSM appliance using a mutually authenticated SSL connection.

CloudHSMs are in your VPC, so it is easy to use them with your EC2 applications. You use standard Amazon VPC security mechanisms to control access to your CloudHSMs. Your applications connect to the CloudHSM using a mutually authenticated SSL channel established by the HSM client software. Since CloudHSMs are located in Amazon datacenters near your EC2 instances, your applications have reduced network latency versus use of an on-premise HSM.

CloudHSM Overview

Separation of duties and role-based access control is inherent in the design of the CloudHSM. AWS has administrative credentials to the appliance, but these can only be used to manage and maintain the appliance, not the HSM partitions on the appliance. AWS monitors the health and network availability of CloudHSMs but is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks.

CloudHSM Keystore

The HSM client software can load balance requests across two or more CloudHSMs that span AWS availability zones (AZs) and automatically and securely duplicate keys stored in any CloudHSM to all of the other participating CloudHSMs. This provides additional cryptographic capacity and improves durability of the keys. By storing multiple copies of your keys across CloudHSMs located in different AZs, your keys will be available and protected in the event that a single CloudHSM becomes unavailable. Using at least two CloudHSMs across multiple AZs is Amazon’s recommended configuration for availability and durability.

CloudHSM Redundancy

Cloud HSMs are compatible with SafeNet Luna SA HSM appliances. Using a combination of CloudHSMs within the cloud, and SafeNet Luna SA HSMs in your on-premise datacenter, you can securely replicate your cryptographic keys between the cloud and your datacenter. Additionally, by maintaining a copy of your cryptographic keys on-premise, you can increase durability and provide further assurance that you maintain control of your keys at all times.

CloudHSM with On-Premise HSM

AWS CloudHSM is currently available in multiple AZs in the US East (Northern Virginia), US West (Oregon), EU (Ireland), and Asia Pacific (Sydney) Regions.

Your use of this service is subject to the Amazon Web Services Customer Agreement.