AWS CloudHSM Documentation

AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to add secure key storage and high-performance crypto operations to your AWS applications. CloudHSM provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed. CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.
CloudHSM is one of several AWS services offering a high level of security for your cryptographic keys. CloudHSM offers customers the option of single-tenant access and control over their HSMs and you can use CloudHSM to help demonstrate compliance with security and privacy regulations.

Key Features

Scalable HSM capacity
AWS CloudHSM allows you to scale your HSM capacity. You can add and remove HSMs on-demand using the AWS Management Console and AWS API.
Open solution

AWS CloudHSM is an open solution that eliminates vendor lock-in. With CloudHSM, you can transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of the AWS Cloud.

Industry-standard APIs
AWS CloudHSM offers integration with custom applications via industry-standard APIs and supports multiple programming languages.
Secure authentication
AWS CloudHSM supports quorum authentication for critical administrative and key management functions. CloudHSM also supports multi-factor authentication (MFA) using tokens you provide.
AWS-managed infrastructure
AWS CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.

Secure and highly-available by design

Secure VPC access
AWS CloudHSM runs in your own Amazon Virtual Private Cloud (VPC), enabling you to use your HSMs with applications running on your Amazon EC2 instances. With CloudHSM, you can use standard VPC security controls to manage access to your HSMs. Your applications connect to your HSMs using mutually authenticated SSL channels established by your HSM client software. Since your HSMs are located in Amazon datacenters near your EC2 instances, you can reduce the network latency between your applications and HSMs versus an on-premises HSM.
Separation of duties
Separation of duties and role-based access control is inherent in the design of the AWS CloudHSM. AWS monitors the health and network availability of your HSMs but is not involved in the creation and management of the key material stored within your HSMs. You control the HSMs and the generation and use of your encryption keys.
Load balancing and high availability
AWS CloudHSM load balances requests and duplicates keys stored in any HSM to all of the other HSMs in the cluster. This provides additional cryptographic capacity and improves the durability of the keys. By storing multiple copies of your keys across HSMs located in different Availability Zones (AZs), your keys will be available and protected in the event that a single HSM becomes unavailable. Using at least two HSMs across multiple AZs is Amazon’s recommended configuration for availability and durability.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at, or other agreement between you and AWS governing your use of AWS’s services.