AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud



  • Generate and use encryption keys on FIPS 140-2 level 3 validated HSMs.
  • AWS CloudHSM helps meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud.
  • AWS CloudHSM provides secure cryptographic key storage for customers by making hardware security modules (HSMs) available in the AWS cloud
  • CloudHSM allows encryption keys protection within HSMs, designed and validated to government standards for secure key management.
  • CloudHSM helps comply with strict key management requirements within the AWS cloud without sacrificing application performance
  • AWS can’t help recover the key material if the credentials are lost
  • Integrated with Amazon Redshift and Amazon RDS for Oracle
  • Other use cases like EBS volume encryption and S3 object encryption and key management can be handled by writing custom applications and integrating them with CloudHSM
  • A hardware security module (HSM)
    – is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.

    – are designed with physical and logical mechanisms, to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.

    – physical protections include tamper detection and tamper response. When a tampering event is detected, the HSM is designed to securely destroy the keys rather than risk compromise

    – logical protections include role-based access controls that provide separation of duties

Leave a Reply