Posted On: Nov 26, 2018

AWS Key Management Service (KMS) has integrated with AWS CloudHSM so you now have the option to create your own KMS custom key store. Each custom key store is backed by an AWS CloudHSM cluster and enables you to generate, store, and use your KMS keys in hardware security modules (HSMs) that you control. The KMS custom key store helps satisfy compliance obligations that would otherwise require the use of on-premises HSMs and supports AWS services and encryption toolkits that are integrated with KMS.

With this new feature, you can generate AWS KMS customer master keys (CMKs) and store them in a custom key store rather than the default KMS key store. Each KMS custom key store is created using HSM instances in an AWS CloudHSM cluster that you own and can manage independently of KMS. When you use a KMS CMK in a custom key store, the cryptographic operations under that key are performed exclusively in your CloudHSM cluster. Master keys that are stored in a custom key store are managed in the same way as any other master key in KMS and can be used by any AWS service that encrypts data and that supports KMS customer managed CMKs.

The use of a custom key store does not affect KMS charges for storing and using a CMK. However, a custom key store does involve the additional cost of maintaining a CloudHSM cluster with at least two HSMs. See AWS CloudHSM pricing.

For more information, visit the KMS custom key store FAQ and for guidance on whether custom key stores are a good fit for your requirements you can read this blog.