Security

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant Encryption

Achieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

約 3 分で読めます

Overview of CloudHSM

CloudHSM is a service that manages encryption keys using dedicated hardware security modules (HSMs). While KMS uses multi-tenant shared HSMs, CloudHSM provides dedicated HSM instances. It holds FIPS 140-2 Level 3 certification, meeting compliance requirements for financial, healthcare, and government organizations.

Choosing Between KMS and CloudHSM

KMS is suitable for the majority of use cases, with low operational overhead and extensive integration with AWS services. CloudHSM is the right choice when FIPS 140-2 Level 3 is mandatory, when keys must be managed on dedicated HSMs, or when PKCS#11 or JCE interfaces are required. KMS custom key stores combine the advantages of both, maintaining the KMS API and its integrations while storing keys in CloudHSM.

Cluster Design and High Availability

A CloudHSM cluster places HSM instances across multiple Availability Zones with automatic key synchronization for high availability. A configuration with HSMs in at least two AZs is recommended; if one HSM fails, processing continues on the HSM in the other AZ. The client SDK distributes requests across HSMs in the cluster using round-robin and automatically fails over on failure. HSM backups are automatically encrypted and stored in S3, used for cluster restoration and cross-region copying. Standard interfaces including PKCS#11, JCE, and OpenSSL allow applications to perform cryptographic operations, minimizing changes to existing application code. For a comprehensive study of encryption key management best practices, refer to technical books on Amazon.

CloudHSM Pricing

CloudHSM is billed hourly per HSM instance, at approximately $1.60/hour (about $1,152/month) per instance. A high-availability configuration across two AZs costs approximately $2,304/month. Compared to KMS ($1/month per key), this is significantly more expensive, so CloudHSM should be used only when FIPS 140-2 Level 3 or dedicated HSM requirements apply. Using CloudHSM as the backend through a KMS custom key store lets you operate CloudHSM keys via the KMS API, maintaining existing KMS integrations while meeting compliance requirements.

Summary

CloudHSM manages encryption keys on dedicated hardware security modules, meeting the strict compliance requirements of FIPS 140-2 Level 3. KMS custom key stores let you operate CloudHSM keys through the KMS API, and standard interfaces like PKCS#11 and JCE make integration with existing applications straightforward.

Related Services

AWS CloudHSMA service for managing encryption keys using dedicated hardware security modulesAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS Private Certificate AuthorityA managed certificate authority service for issuing and managing private certificates

Related Articles

Building a Private PKI with AWS Private CA - Automated Certificate Issuance and RotationBuild a private certificate authority and automatically issue mTLS certificates for internal service-to-service communication. Learn about certificate lifecycle management and CRL design.Confidential Data Processing with AWS Nitro Enclaves - Encryption and Attestation in an Isolated EnvironmentLearn how to process sensitive data in the isolated environment of Nitro Enclaves, and control encryption key access through KMS integration and attestation.Cloud Payment Processing with AWS Payment Cryptography - Cryptographic Key Management and PIN VerificationLearn how Payment Cryptography manages payment cryptographic keys, encrypts and decrypts PIN blocks, and achieves PCI DSS compliance.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.CloudTrail Sees Everything - How API Calls Are Recorded and Practical Forensic InvestigationThis article explains how CloudTrail records AWS API calls, the differences between management events and data events, SQL analysis with CloudTrail Lake, and forensic investigation techniques when a security incident occurs.

Similar Articles and Services

Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.AWS CloudHSMA service that provides dedicated FIPS 140-2 Level 3 certified hardware security modules for generating, storing, and performing cryptographic operations with encryption keys in the cloudWhere Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.