With AWS CloudHSM you can:

  • Protect and store your cryptographic keys with industry standard, tamper-resistant HSM appliances. No one but you has access to your keys (including Amazon administrators who manage and maintain the appliance).
  • Use your most sensitive and regulated data on Amazon EC2 without giving applications direct access to your data's encryption keys.
  • Store and access data reliably from your applications that demand highly available and durable key storage and cryptographic operations.
  • Use AWS CloudHSM in conjunction with your compatible on-premises HSMs to replicate keys among on-premises HSMs and CloudHSM instances. This increases key durability and makes it easy to migrate cryptographic applications from your datacenter to AWS.

Get Started with AWS for Free

Create a Free Account
Or Sign In to the Console

Receive twelve months of access to the AWS Free Usage Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.

Please note that AWS CloudHSM is not currently available on the AWS Free Usage Tier.

You can use AWS CloudHSM to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), and Public Key Infrastructure (PKI) including authentication and authorization, document signing, and transaction processing. AWS CloudHSM currently utilizes Luna SA HSMs from SafeNet, Inc., a leader in data protection solutions. The Luna SA is designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards, and supports a variety of industry standard cryptographic algorithms.

When you sign up for AWS CloudHSM, you receive dedicated single tenant access to CloudHSM appliances. Each appliance appears as a resource in your VPC. You, not AWS, initialize and manage the cryptographic domain of the CloudHSM. The cryptographic domain is a logical and physical security boundary that restricts access to your keys. This means that only you will control your keys and operations performed by the CloudHSM. Amazon administrators will manage, maintain, and monitor the health of the CloudHSM appliance, but do not have access to the cryptographic domain. After initializing the cryptographic domain, you can configure a client on your EC2 instance that allows your applications to use the APIs provided by the CloudHSM.

Your applications can use the standard APIs supported by the CloudHSM, such as PKCS#11, Microsoft CAPI/CNG and Java JCA/JCE (Java Cryptography Architecture/Java Cryptography Extensions). Please see the AWS CloudHSM FAQ for a complete list of supported APIs. The CloudHSM client provides the APIs to your applications and implements each API call by connecting to the CloudHSM appliance using a mutually authenticated SSL connection.

CloudHSM instances are in your VPC, so it is easy to use them with your EC2 applications. You use standard Amazon VPC security mechanisms to control access to CloudHSM instances. Your applications connect to the CloudHSM using a mutually authenticated SSL channel established by the HSM client software. Since CloudHSM instances are located in Amazon datacenters near your EC2 instances, your applications have reduced network latency versus use of an on-premises HSM.

Key Storage

Separation of duties and role-based access control is inherent in the design of the CloudHSM. AWS has administrative credentials to the appliance, but these can only be used to manage and maintain the appliance, and not to access the HSM partitions on the appliance. AWS monitors the health and network availability of CloudHSM instances but is not involved in the creation and management of the key material stored within an HSM. You control the HSM partitions and must perform these tasks.


The HSM client software can load balance requests across two or more CloudHSM instances that span AWS availability zones (AZs) and automatically and securely duplicate keys stored in any CloudHSM to all of the other participating HSMs. This provides additional cryptographic capacity and improves durability of the keys. By storing multiple copies of your keys across HSMs located in different AZs, your keys will be available and protected in the event that a single CloudHSM instance becomes unavailable. Using at least two CloudHSM instances across multiple AZs is Amazon’s recommended configuration for availability and durability.

Load Balancing and HA

Cloud HSMs are compatible with SafeNet Luna SA HSM appliances. Using a combination of CloudHSM instances within the cloud, and SafeNet Luna SA HSMs in your on-premises datacenter, you can securely replicate your cryptographic keys between the cloud and your datacenter. Additionally, by maintaining a copy of your cryptographic keys on-premises, you can increase durability and provide further assurance that you maintain control of your keys at all times.

Combine with On-prem HSMs

CloudHSM for Amazon RDS Oracle TDE enables Transparent Data Encryption, a standard feature of Oracle 11g, for encrypting the database in a way that is transparent to your applications, while creating and storing the master encryption key on CloudHSM devices that you control. The RDS database instance cannot start unless you provide access to the master key on the HSM. Storing the master encryption key on a third-party validated HSM that you control can help you meet strict regulatory and compliance requirements for strong key protection.


AWS CloudHSM is currently available in multiple AZs in the US East (Northern Virginia), US East (Ohio), US West (Northern California), US West (Oregon), EU (Ireland), Canada (Central), EU (Frankfurt), Asia Pacific (Tokyo), Asia Pacific (Singapore), Asia Pacific (Sydney), and AWS GovCloud (US) Regions.

Your use of this service is subject to the Amazon Web Services Customer Agreement.