Posted On: Sep 10, 2018

AWS CloudHSM customers can now safely delete their CloudHSM backups on-demand, through the AWS SDK and CLI. Backups marked for deletion are held in escrow for a period of 7 days, giving customers a chance to restore their critical key data before it is permanently deleted. Calls to delete and restore backups are recorded in CloudTrail. This feature is available in all CloudHSM regions.

AWS CloudHSM automatically takes secure backups of customer key material and stores them in Amazon S3. This is a key benefit for customers, as it provides durable protection against losing keys due to failed hardware or accidental deletion. If customers want to irrevocably delete a key or remove a user's access to the cluster for security or compliance reasons, they must also delete any backups that contain those keys or users. Deleting these backups prevents them from being restored in the future.  

There is no charge for deleting or restoring backups. To learn more about this feature, go here.