Skip to content


AWS CloudHSM (cloud-based hardware security module) is a cloud-based HSM that stores secure cryptographic keys and allows you to easily create and use your own encryption keys in the AWS Cloud.
CloudHSM allows you to manage your encryption keys using FIPS 140-2 Level 3, validated HSMs.
AWS CloudHSM meets corporate, contractual, and regulatory compliance requirements regarding data security through the use of dedicated HSM appliances within AWS Cloud.
Hardware security module (HSM), also known as a hardware appliance, is a device that stores keys and performs cryptographic operations in a tamper-resistant module.
They are equipped with logical and physical mechanisms that allow you to securely store cryptographic keys material and use it without exposing it beyond the appliance’s cryptographic boundary.
Physical protections include tamper detection or tamper response. The HSM is designed to secure destroy keys instead of risking compromise if there is a tampering incident.
Logical protections include role-based access control that allows for the separation of duties
CloudHSM provides encryption key protection within HSMs. It is designed and validated according to government standards for key management.
CloudHSM helps you comply with AWS key management requirements without sacrificing application performance
CloudHSM uses SafeNet Luna SA HSM appliances
HSMs are located within AWS data centers, which are managed and monitored by AWS. AWS does however not have access the keys.
CloudHSM performs periodic backups of users, keys, policies, and cluster configurations.
CloudHSM is a fully managed service that automates time-consuming administrative tasks such as software patching, hardware provisioning, high availability, backups, and software patching.
CloudHSM allows you to scale quickly, adding or removing HSM capacity as needed. There are no upfront costs.
CloudHSM automatically balances requests and securely copies keys stored in any HSM to all other HSMs within the cluster.
Only you have the keys and the operations to generate, store, and manage them.
If credentials are lost, AWS cannot help retrieve the key material
CloudHSM gives a single tenant access to each HSM appliance
HSMs are located inside your VPC and are isolated from the rest.
HSM appliances placed near EC2 instances reduce network latency which can improve application performance
Integrated with Amazon Redshift, Amazon RDS for Oracle
CloudHSM can also be used to integrate custom applications with other use cases, such as S3 object encryption or key management and EBS volume encryption.
CloudHSM can do a variety cryptographic tasks, including the following: Generate, store, import and export cryptographic keys and manage them, including symmetric keys as well as key pairs.
You can use both symmetric and asymmetric algorithms for data encryption and decryption.
Cryptographic hash functions can be used to compute message digests or hash-based message authentication code (HMACs)
Cryptographically sign data (including code signatures) and verify signatures.
CloudHSM Use Cases
SSL/TLS processing offloaded for web servers
For Oracle database servers that support Transparent Data Encryption, (TDE), store the master encryption key Transparent Data Encryption.
Store private keys and sign certificate requests acting act as an issuing CA to issue certificates for your organization.CloudHSM Clusters
CloudHSM Cluster is a group of individual HSMs that are kept in sync.
High availability HSMs can be placed at different AZs. Clusters can be spread across AZs to provide redundancy and high availability.
Cluster can be expanded with additional HSMs to increase scalability or performance.
A cluster with more than one HSM automatically balances the load.
CloudHSM keeps the cluster synchronized and redundant, and makes it highly available. CloudHSM vs KMS Certification Exam Practice Questions
Questions are collected via the Internet. The answers are marked according to my knowledge and understaning.