Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant Encryption

Achieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Overview of CloudHSM

CloudHSM is a service that manages encryption keys using dedicated hardware security modules (HSMs). While KMS uses multi-tenant shared HSMs, CloudHSM provides dedicated HSM instances. It holds FIPS 140-2 Level 3 certification, meeting compliance requirements for financial, healthcare, and government organizations. Keys are generated and stored within the HSM, and key material is never exported in plaintext outside the HSM. AWS staff cannot access your keys by design, and full ownership of keys belongs to the user.

Choosing Between KMS and CloudHSM

KMS is suitable for the majority of use cases, with low operational overhead and extensive integration with AWS services. CloudHSM is the right choice when FIPS 140-2 Level 3 is mandatory, when keys must be managed on dedicated HSMs, or when PKCS#11 or JCE interfaces are required. KMS custom key stores combine the advantages of both, maintaining the KMS API and its integrations while storing keys in CloudHSM. KMS is certified at FIPS 140-2 Level 2 (some endpoints at Level 3), so if Level 3 is not an audit requirement, KMS is sufficient. For cryptographic throughput requirements, a single CloudHSM instance can process thousands of RSA signatures or AES encryptions per second, making it advantageous when processing volumes exceed KMS request rate quotas (default thousands of requests per second, region-dependent).

Cluster Design and High Availability

A CloudHSM cluster places HSM instances across multiple Availability Zones with automatic key synchronization for high availability. A configuration with HSMs in at least two AZs is recommended; if one HSM fails, processing continues on the HSM in the other AZ. The client SDK distributes requests across HSMs in the cluster using round-robin and automatically fails over on failure. HSM backups are automatically encrypted and stored in S3, used for cluster restoration and cross-region copying. Standard interfaces including PKCS#11, JCE, and OpenSSL allow applications to perform cryptographic operations, minimizing changes to existing application code. For a comprehensive study of encryption key management best practices, refer to technical books on Amazon.

Common Use Cases

Key use cases for CloudHSM include SSL/TLS offloading, database encryption (TDE), code and document signing, private certificate authority (CA) key storage, financial transaction signing (PCI DSS compliance), and tokenization. For SSL/TLS offloading, web server private keys are stored in the HSM, with signing operations delegated via the OpenSSL engine, eliminating private keys from EC2 instance memory. Integration with Oracle TDE and Microsoft SQL Server TDE to protect database encryption keys in HSM is also common. Combining with AWS Private CA to store CA private keys in CloudHSM and execute certificate signing in the HSM reduces the risk of CA key compromise.

Pricing and Operational Considerations

CloudHSM is billed hourly per HSM instance, at approximately $1.60/hour (about $1,152/month) per instance. A high-availability configuration across two AZs costs approximately $2,304/month. Compared to KMS ($1/month per key), this is significantly more expensive, so CloudHSM should be used only when FIPS 140-2 Level 3 or dedicated HSM requirements apply. An important operational consideration is that losing Crypto Officer (CO) credentials results in permanent loss of access to keys in the cluster, making secure credential storage essential. HSM user management (CU: Crypto User, CO: Crypto Officer) operates independently from AWS IAM, using HSM-internal user management commands. The initialization procedure involves creating a CO with the CloudHSM Management Utility (CMU) after the first HSM is created, then creating CUs to grant applications key operation permissions.

Summary

CloudHSM manages encryption keys on dedicated hardware security modules, meeting the strict compliance requirements of FIPS 140-2 Level 3. KMS custom key stores let you operate CloudHSM keys through the KMS API, and standard interfaces like PKCS#11 and JCE make integration with existing applications straightforward. Due to high cost, adopt CloudHSM only when requirements are clear, and plan credential management and high availability design carefully.