Back to Catalog
Security, Identity, & Compliance

AWS CloudHSM

"Managed hardware security models (HSM) for generating and managing encryption keys."

AWS CloudHSM

AWS CloudHSM provides hardware security modules (HSMs) in the AWS Cloud. It allows you to generate and use your own encryption keys on the AWS Cloud.

Key Concepts

  • Single-Tenant: You are the only customer using that specific hardware device. It is dedicated to you.
  • FIPS 140-2 Level 3: A high security standard for cryptographic modules. CloudHSM is validated to Level 3 (KMS is Level 2, though some parts are Level 3).
  • Full Control: You manage the keys. AWS cannot see or recover your keys. If you lose your credentials, the keys are lost forever.
  • VPC: Runs inside your Virtual Private Cloud.

Exam Tips

  • "Dedicated Hardware" / "Single Tenant": Answer is CloudHSM.
  • "FIPS 140-2 Level 3": Answer is CloudHSM. (If it says Level 2, it might be KMS).
  • "Industry Compliance": Use CloudHSM if the regulation specifically requires a dedicated HSM or higher FIPS level than KMS provides.
  • PKCS#11 / Java JCE / Microsoft CNG: Standard industry APIs supported by CloudHSM.

Common Use Cases

  • SSL/TLS Offload: Offload SSL processing from web servers to the HSM.
  • Certificate Authority (CA): Acting as a root CA.
  • Oracle TDE: Transparent Data Encryption for Oracle databases.
  • Document Signing: Securely signing documents.
AWS KMS
GuardDuty
SWIPE ZONE
< DRAG ME >