1. Knowledge base
  3. Amazon Web Services
  5. AWS CloudHSM

AWS CloudHSM

AWS CloudHSM - management and access to keys occur on FIPS-validated hardware, ensuring security. These keys are protected within customer-owned, single-tenant HSM instances, operating within their designated Virtual Private Cloud (VPC).

Key definitions for AWS CloudHSM:

  • Security

    Key management occurs on FIPS-validated hardware through dedicated HSM instances within each customer's Virtual Private Cloud (VPC) in AWS CloudHSM. This design includes separation of duties and role-based access control. AWS monitors HSM health and network, while customers retain control over HSMs and encryption key processes

  • Performance

    AWS CloudHSM cluster performance varies based on workloads. The table displays approximate cryptographic algorithm performance on an EC2 instance. To boost performance, add more HSM instances. Factors like configuration, data size, and EC2 application load affect performance. Conduct load tests to determine scaling needs

    Operation Two-HSM cluster Three-HSM cluster Six-HSM cluster
    RSA 2048-bit sign 2,000 ops/sec 3,000 ops/sec 5,000 ops/sec
    EC P256 sign 500 ops/sec 750 ops/sec 1,500 ops/sec

  • Compliance

    CloudHSM is compliant with security and privacy regulations, such as PCI, GDPR, HIPAA, and FedRAMP

  • Availability

    Efficiently distribute request load and ensure secure replication of keys across HSM instances within your cluster, enhancing key resilience and expanding capacity

  • Flexibility

    Implement an accessible solution that encompasses a diverse array of cryptographic algorithms, utilizing established industry standards like PKCS#11, JCE, OpenSSL, and CNG/KSP

Service integrates with:

Usage use cases

  • Encrypt data at rest.

    Protect data and achieve regulatory compliance

  • Offload SSL processing for web servers.

    Verify the identities of web services and create secure HTTPS connections over the internet through the utilization of SSL and TLS protocols

  • Protect private keys for an issuing CA.

    Achieve the secure housing of private keys and the signing of certificate requests, facilitating the establishment of a trusted position as an issuing certificate authority (CA)

  • Activate TDE for Oracle databases.

    Securely retain the encryption key for transparent data encryption (TDE) on compatible Oracle database servers

FAQ for AWS CloudHSM

  • What is AWS CloudHSM?

    AWS CloudHSM meets data security requirements using dedicated HSM instances. While AWS offers various data protection solutions, CloudHSM suits cases needing robust cryptographic key management due to contractual or regulatory obligations. It complements existing methods, securing encryption keys within government-standard HSMs. CloudHSM enables safe generation, storage, and management of cryptographic keys with exclusive user access

  • What can I do with CloudHSM?

    Leverage the CloudHSM service to cater to diverse applications and use cases. These include database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing

  • Does my application need to reside in the same VPC as the CloudHSM Cluster?

    No, but the server hosting your application and HSM client must have network reachability to all cluster HSMs. This can be achieved through methods like running in the same VPC, VPC peering, VPN, or Direct Connect. Refer to VPC guides for details