AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud
- Generate and use encryption keys on FIPS 140-2 level 3 validated HSMs.
- AWS CloudHSM helps meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud.
- AWS CloudHSM provides secure cryptographic key storage for customers by making hardware security modules (HSMs) available in the AWS cloud
- CloudHSM allows encryption keys protection within HSMs, designed and validated to government standards for secure key management.
- CloudHSM helps comply with strict key management requirements within the AWS cloud without sacrificing application performance
- AWS can’t help recover the key material if the credentials are lost
- Integrated with Amazon Redshift and Amazon RDS for Oracle
- Other use cases like EBS volume encryption and S3 object encryption and key management can be handled by writing custom applications and integrating them with CloudHSM
- A hardware security module (HSM)
– is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.
– are designed with physical and logical mechanisms, to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
– physical protections include tamper detection and tamper response. When a tampering event is detected, the HSM is designed to securely destroy the keys rather than risk compromise
– logical protections include role-based access controls that provide separation of duties