Skip to content

AWS CloudHSM

What Is This Service?

AWS CloudHSM is a dedicated hardware security module (HSM) service that provides customer-controlled cryptographic operations using single-tenant FIPS 140-2 Level 3 validated hardware.

Mental model:
CloudHSM = your own managed HSM appliances in AWS for full cryptographic control.

Unlike AWS KMS: - AWS manages infrastructure - You manage keys and cryptographic operations

CloudHSM gives hardware-backed cryptographic isolation with customer ownership of keys.

Why It Matters for Security

Some workloads require:

  • Hardware-backed key custody
  • Regulatory cryptographic control
  • Customer-controlled key lifecycle
  • HSM-enforced key usage
  • Separation of duties
  • External compliance requirements

Common use cases:

  • Payment systems (PCI)
  • Financial workloads
  • Root/intermediate CA protection
  • Custom encryption applications
  • Database TDE
  • Digital signing
  • Enterprise PKI
  • BYOK architectures

Security outcomes:

  • Keys never leave HSM plaintext
  • Reduced trust in cloud operator
  • Compliance-grade cryptographic controls

Core Concepts

Hardware Security Module (HSM)

Tamper-resistant cryptographic hardware.

Provides:

  • Key generation
  • Encryption
  • Decryption
  • Signing
  • Verification

Keys generated inside HSM remain protected.

Cluster

CloudHSM operates as:

Cluster
 ├── HSM Instance
 ├── HSM Instance
 └── HSM Instance

Cluster characteristics:

  • Multi-AZ capable
  • Replicated HSM state
  • Shared cryptographic material

Minimum:

  • Single HSM

Production:

  • Multiple HSMs

HSM Users

CloudHSM uses internal users.

Roles:

Crypto User (CU)

Can:

  • Use keys
  • Perform crypto operations

Cannot manage cluster.

Crypto Officer (CO)

Can:

  • Manage users
  • Configure HSM

Cannot access user keys.

Appliance User (AU)

Administrative operations.

Admin

Cluster administration.

Exam point:

CloudHSM authorization is separate from IAM.

Key Ownership

Customer controls:

  • Key generation
  • Import
  • Rotation
  • Backup
  • Deletion

AWS cannot access keys.

Client SDK

Applications connect directly.

Supported interfaces:

  • PKCS#11
  • Java JCE
  • Microsoft CNG
  • OpenSSL

Applications perform crypto directly.

Important Integrations

AWS KMS Custom Key Store (VERY HIGH VALUE)

CloudHSM can back AWS KMS.

Pattern:

KMS
 ↓
Custom Key Store
 ↓
CloudHSM

Benefits:

  • Use KMS APIs
  • Maintain HSM ownership

Exam nuance:

Applications still call KMS.

AWS Private CA

Private CA supports:

  • Root protection
  • CA key storage

Common PKI design.

Amazon RDS Oracle

Supports:

  • Oracle TDE

Use HSM-backed encryption.

Amazon Redshift

Supports database encryption.

AWS CloudTrail

Logs:

  • Management operations

Does NOT log:

  • Actual cryptographic operations.

Exam trap.

AWS IAM

Controls:

  • Cluster administration

Does NOT authorize HSM crypto usage.

AWS Backup

Backups managed internally.

Security Features

Single-Tenant HSM

Each HSM belongs to one customer.

No shared hardware.

FIPS Validation

Validated:

FIPS 140-2 Level 3

Exam keyword.

Why important:

  • Physical tamper resistance
  • Compliance

Customer Key Custody

AWS cannot:

  • Export keys
  • Recover deleted keys
  • Perform crypto

Strong separation.

Hardware Isolation

Keys remain:

Inside HSM

Plaintext export restricted.

Secure Key Replication

Cluster members replicate:

  • Users
  • Policies
  • Keys

Across HSM nodes.

Dedicated Cryptographic Boundary

Application memory separated from key storage.

Advanced Security and Operational Concepts

CloudHSM vs AWS KMS (MOST TESTED)

KMS:

  • Shared HSM
  • Managed APIs
  • Easier operations

CloudHSM:

  • Dedicated HSM
  • Full control
  • Customer operations

Decision:

Need compliance + custody → CloudHSM

Need simplicity → KMS

CloudHSM Is NOT Server-Side Encryption

CloudHSM does not directly encrypt:

  • S3
  • EBS
  • DynamoDB

Those use:

  • KMS

CloudHSM enables custom crypto workloads.

KMS Custom Key Store Architecture

Allows:

Application
 ↓
KMS
 ↓
CloudHSM

Result:

KMS experience with HSM ownership.

Exam trap:

Keys remain inside CloudHSM.

Availability Design

Single HSM:

❌ SPOF

Production:

3 HSMs
3 AZs

Recommended.

Backup and Recovery

CloudHSM automatically creates encrypted backups.

Backups restore:

  • Cluster
  • Users
  • Keys

Backups remain AWS-region scoped.

CloudHSM Scaling

Compute scaling:

❌ No

Throughput scaling:

✔ Add HSMs

Latency Consideration

Crypto operations are network calls.

Sensitive workloads may require batching.

CloudHSM Does NOT Integrate with Organizations

No organization-level centralized HSM.

Use account architectures.

Architecture Example

flowchart LR

App[Application]

KMS[KMS]

CKS[Custom Key Store]

subgraph Cluster
HSM1[CloudHSM AZ1]
HSM2[CloudHSM AZ2]
HSM3[CloudHSM AZ3]
end

App --> KMS

KMS --> CKS

CKS --> HSM1

HSM1 --> HSM2

HSM2 --> HSM3

Workflow(s)

Direct Cryptographic Operation

sequenceDiagram

participant App
participant SDK
participant CloudHSM

App->>SDK: Encrypt request

SDK->>CloudHSM: Use HSM key

CloudHSM-->>SDK: Ciphertext

SDK-->>App: Return result

KMS Custom Key Store Flow

sequenceDiagram

participant App
participant KMS
participant CloudHSM

App->>KMS: Encrypt

KMS->>CloudHSM: Perform crypto

CloudHSM-->>KMS: Result

KMS-->>App: Ciphertext

Multi-AZ Replication

sequenceDiagram

participant HSM1
participant HSM2
participant HSM3

HSM1->>HSM2: Replicate keys

HSM2->>HSM3: Replicate state

HSM3-->>HSM1: Cluster sync

Comparisons

Service Dedicated HSM Customer Controls Keys Auto Integrations FIPS
CloudHSM Yes Yes Limited Level 3
AWS KMS Shared Partial Extensive Level 3
KMS Custom Key Store Via CloudHSM Yes KMS APIs Level 3
ACM Private CA No No PKI only No
Secrets Manager No No Secret lifecycle No

Common Exam Traps

  1. CloudHSM ≠ KMS.

  2. CloudHSM authorization is separate from IAM.

  3. CloudTrail logs management events, not crypto operations.

  4. CloudHSM does not directly encrypt S3/EBS.

  5. CloudHSM supports KMS Custom Key Store.

  6. Single HSM creates availability risk.

  7. Keys remain inside HSM.

  8. CloudHSM is customer-managed.

  9. Dedicated HSM increases operational burden.

  10. Private CA often pairs with CloudHSM.

  11. CloudHSM uses PKCS#11/JCE/OpenSSL interfaces.

  12. AWS cannot recover deleted keys.

5-Second Recall

  • CloudHSM = dedicated HSM
  • Customer owns keys
  • FIPS 140-2 Level 3
  • KMS Custom Key Store = major integration
  • Separate auth model
  • Multi-AZ cluster
  • Keys never leave HSM

Quick Revision Notes

  • Dedicated hardware cryptography
  • Customer key ownership
  • Cluster-based architecture
  • Supports PKCS#11/JCE/OpenSSL
  • KMS Custom Key Store is common
  • Multi-AZ strongly recommended
  • CloudTrail ≠ crypto audit
  • CloudHSM ≠ KMS
  • Useful for strict compliance and PKI