AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications. CloudHSM has no upfront costs and provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed quickly and cost-effectively. CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.
CloudHSM is one of several AWS services, including AWS Key Management Service (KMS), which offer a high level of security for your cryptographic keys. KMS provides an easy, cost-effective way to manage encryption keys on AWS that meets the security needs for the majority of customer data. CloudHSM offers customers the option of single-tenant access and control over their HSMs.
AWS CloudHSM offers single-tenant access to tamper-resistant HSMs that comply with the U.S. Government’s FIPS 140-2 Level 3 standard for cryptographic modules.
AWS CloudHSM makes it easy to scale your HSM capacity. You can add and remove HSMs on-demand using the AWS Management Console and AWS API.
AWS CloudHSM is an open solution that eliminates vendor lock-in. With CloudHSM, you can transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of the AWS Cloud.
AWS CloudHSM offers integration with custom applications via industry-standard APIs and supports multiple programming languages, including PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.
AWS CloudHSM supports quorum authentication for critical administrative and key management functions. CloudHSM also supports multi-factor authentication (MFA) using tokens you provide.
AWS CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.
Secure and highly-available by design
AWS CloudHSM runs in your own Amazon Virtual Private Cloud (VPC), enabling you to easily use your HSMs with applications running on your Amazon EC2 instances. With CloudHSM, you can use standard VPC security controls to manage access to your HSMs. Your applications connect to your HSMs using mutually authenticated SSL channels established by your HSM client software. Since your HSMs are located in Amazon datacenters near your EC2 instances, you can reduce the network latency between your applications and HSMs versus an on-premises HSM.
A: AWS manages the hardware security module (HSM) appliance, but does not have access to your keys
B: You control and manage your own keys
C: Application performance improves (due to close proximity with AWS workloads)
D: Secure key storage in tamper-resistant hardware available in multiple Availability Zones (AZs)
E: Your HSMs are in your Virtual Private Cloud (VPC) and isolated from other AWS networks.
Separation of duties and role-based access control is inherent in the design of the AWS CloudHSM. AWS monitors the health and network availability of your HSMs but is not involved in the creation and management of the key material stored within your HSMs. You control the HSMs and the generation and use of your encryption keys.
AWS CloudHSM automatically load balances requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster. This provides additional cryptographic capacity and improves the durability of the keys. By storing multiple copies of your keys across HSMs located in different Availability Zones (AZs), your keys will be available and protected in the event that a single HSM becomes unavailable. Using at least two HSMs across multiple AZs is Amazon’s recommended configuration for availability and durability.
AWS CloudHSM Client load balances requests and securely replicates key material among participating HSMs in the cluster.