What AWS cryptographic service is used to create and maintain Hardware Security Modules (HSMs) in the AWS environment?
AWS CloudHSM (single-tenant, AWS-provisioned, fully customer-managed HSMs)
What computing devices process cryptographic operations and provide secure storage for cryptographic keys?
Hardware Security Modules (HSMs)
How do AWS CloudHSM and AWS KMS differ in FIPS 140-2 compliance? A:
- CloudHSM: FIPS 140-2 Level 3 compliant (overall)
- KMS - FIPS 140-2 Level 2 (overall)
How can AWS CloudHSM be accessed?
- Industry-standard cryptographic APIs PKCS#11
- Java Cryptography Extension (JCE)
- Microsoft CryptoNG (CNG)
AWS KMS operations are performed via the AWS Standard API
Can AWS CloudHSM be deployed into the customer VPC?
No, CloudHSM is deployed into a separate AWS-managed VPC, HSM instances are exposed to the customer VPC via network interfaces
Is AWS CloudHSM highly available by default?
No, requires at least two deployments in each Availability Zones for High Availability
How can EC2 instances access AWS CloudHSM?
Via the CloudHSM client installed on the EC2 instances
Can AWS access the secure HSM area where key material is stored?
No, AWS provisions CloudHSM but has no access to the HSM secure area
Can AWS KMS integrate with AWS CloudHSM?
Yes, AWS KMS can use CloudHSM as a custom key store
When would AWS CloudHSM be an appropriate choice?
When requirements include:
- Single-tenant Hardware Security Module
- FIPS 140-2 Level 3 overall compliance
- Access via industry-standard APIs (PKCS#11, JCE, CNG)
What are the main use cases for AWS CloudHSM service?
AWS CloudHSM is commonly used for:
- Implementing client-side encryption
- Offloading SSL/TLS processing from web servers
- Enabling Transparent Data Encryption (TDE) for databases such as Oracle
- Protecting the private key of an issuing Certificate Authority (CA)
-
IAM39
-
STS9
-
Organizations14
-
CloudTrail16
-
KMS14
-
S3128
-
EBS61
-
EFS14
-
VPC104
-
Hybrid Networking66
-
EC2152
-
Route 5336
-
RDS59
-
AWS Backup8
-
ELB44
-
SSM11
-
ECS12
-
ECR11
-
EKS7
-
ASG43
-
Lambda66
-
EventBridge11
-
SNS11
-
Step Functions15
-
API Gateway25
-
SQS41
-
Kinesis45
-
Cognito17
-
Glue13
-
MQ9
-
AppFlow6
-
ACM13
-
CloudFront75
-
Global Accelerator8
-
Storage Gateway58
-
CloudWatch65
-
CloudFormation110
-
Snow Family8
-
Directory Service17
-
DataSync12
-
FSx for Windows File Server13
-
FSx for Lustre15
-
Transfer Family15
-
Code*44
-
Elastic Beanstalk45
-
X-Ray27
-
DynamoDB97
-
ElastiCache19
-
Secrets Manager11
-
Systems Manager12
-
Web Application Firewall30
-
Shield17
-
CloudHSM11
-
Macie14
-
Inspector15
-
GuardDuty8
-
Athena8
-
Redshift12
-
Comprehend3
-
Kendra5
-
Lex4
-
Polly6
-
Rekognition4
-
Textract5
-
Transcribe5
-
Translate6
-
Forecast3
-
Fraund Detector3
-
SageMaker5
-
Local Zones6
