Security

Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSM

Learn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.

約 6 分で読めます

Key Management Requirements and Where CloudHSM Fits

Cryptographic key management is the foundation of information security. AWS KMS (Key Management Service) provides sufficient key management for most use cases, but certain regulatory requirements or security policies demand that cryptographic keys be managed on dedicated hardware inaccessible to any third party, including AWS. AWS CloudHSM is a service that provides FIPS 140-2 Level 3 certified, dedicated HSMs (Hardware Security Modules) in the cloud. HSMs are deployed within your VPC, and all key generation, storage, and usage operations are completed entirely inside the HSM. AWS handles hardware management (provisioning, patching, backups) but cannot access the cryptographic keys inside the HSM. You retain full control over key management. KMS also uses HSMs on the backend, but they are shared multi-tenant HSMs where key management is jointly handled with AWS. CloudHSM becomes necessary when compliance requirements mandate dedicated key management.

Cluster Architecture and Standard APIs

CloudHSM is managed in cluster units. A cluster consists of one or more HSMs, and deploying HSMs across two or more Availability Zones is recommended for high availability. Cryptographic keys are automatically synchronized across HSMs within a cluster, so access to keys continues even if one HSM fails. CloudHSM supports industry-standard cryptographic APIs. PKCS#11 is used for integration with C/C++ applications and OpenSSL. JCE (Java Cryptography Extension) is used for Java application integration. CNG/KSP (Cryptography API: Next Generation / Key Storage Provider) is used for Windows application integration. Because these standard APIs are supported, changes to existing application code are minimal. You install the HSM client software on EC2 instances and communicate with the HSM over a private network within your VPC.

Choosing Between CloudHSM and KMS

The choice between CloudHSM and KMS depends on balancing security requirements with cost. Choose KMS when you need encryption for AWS services (S3, EBS, RDS, Lambda, etc.), general application encryption, or want to minimize costs. KMS costs approximately $0.03 per 10,000 API calls and offers extensive native integration with AWS services. Choose CloudHSM when FIPS 140-2 Level 3 certification is required (KMS is Level 2), when regulations mandate dedicated key management, when you want to keep TLS/SSL private keys inside an HSM, when standard cryptographic APIs like PKCS#11 or JCE are needed, or when you need to manage encryption keys for Oracle TDE or Microsoft SQL Server in an HSM. Using the KMS custom key store feature, you can use a CloudHSM cluster as the backend for KMS, combining the ease of use of KMS with the security of CloudHSM. For a comprehensive guide to HSM encryption best practices, check out technical books on Amazon.

TLS Offloading and Database Encryption

A primary use case for CloudHSM is TLS/SSL offloading. You store the TLS private key for your web servers (Nginx, Apache) inside CloudHSM and execute private key operations during TLS handshakes within the HSM. Since the private key is never exposed in server memory or on disk, the risk of key leakage is eliminated even if the server is compromised. By configuring CloudHSM as an OpenSSL engine, you can achieve TLS offloading with only configuration changes to Nginx or Apache. For database encryption, you can manage Oracle TDE (Transparent Data Encryption) master encryption keys in CloudHSM. Simply specifying the CloudHSM client as the PKCS#11 library in the Oracle Database configuration protects database encryption keys with the HSM. Integration with Microsoft SQL Server's EKM (Extensible Key Management) is also supported. Pricing is approximately $1.60 per HSM per hour; a two-HSM configuration costs roughly $2,336 per month.

CloudHSM Pricing

CloudHSM costs approximately $1.60 per instance per hour (roughly $1,152 per month). A high-availability configuration across two AZs costs approximately $2,304 per month. This is significantly more expensive than KMS ($1 per key per month), so use CloudHSM only when FIPS 140-2 Level 3 or dedicated HSM requirements apply. Using the KMS custom key store with CloudHSM as the backend lets you operate CloudHSM keys through the KMS API.

Summary - Guidelines for Using CloudHSM

AWS CloudHSM is an enterprise-grade service for organizations that require dedicated cryptographic key management. Its key strengths include FIPS 140-2 Level 3 certification, standard cryptographic APIs (PKCS#11, JCE, CNG), TLS offloading, and database encryption integration. KMS is sufficient for most use cases, but consider CloudHSM when regulations require dedicated key management or when you need to keep TLS private keys inside an HSM. Given the cost of approximately $2,336 per month and up, carefully evaluate your requirements before adopting it.

Related Services

AWS CloudHSMA service for managing encryption keys using dedicated hardware security modulesAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Cloud Payment Processing with AWS Payment Cryptography - Cryptographic Key Management and PIN VerificationLearn how Payment Cryptography manages payment cryptographic keys, encrypts and decrypts PIN blocks, and achieves PCI DSS compliance.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

AWS CloudHSMA service that provides dedicated FIPS 140-2 Level 3 certified hardware security modules for generating, storing, and performing cryptographic operations with encryption keys in the cloudDedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Where Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.