AWS CloudHSM のアイコン

AWS CloudHSM Specialized2013年〜

A service for managing encryption keys using dedicated hardware security modules

About 3 min read

What It Does

AWS CloudHSM provides dedicated Hardware Security Modules (HSMs) within the AWS cloud for generating, storing, and managing encryption keys. HSMs are tamper-resistant dedicated hardware designed to prevent keys from being leaked externally. Certified at FIPS 140-2 Level 3, CloudHSM meets the strict security standards required by financial institutions and government agencies.

Use Cases

CloudHSM is used in scenarios requiring high security standards, such as encrypting payment data at financial institutions, managing SSL/TLS certificate private keys, and managing keys for database Transparent Data Encryption (TDE). It is also adopted in industries where regulations mandate HSM usage, such as credit card processing requiring PCI DSS compliance.

Everyday Analogy

Think of it like a bank safe deposit box. A regular safe (software-based encryption) can protect valuables, but a bank safe deposit box (HSM) is physically reinforced and has mechanisms that automatically destroy contents if someone tries to break in. CloudHSM makes this bank-grade safe deposit box available in the cloud.

What Is CloudHSM?

AWS CloudHSM is a service that securely manages encryption keys using dedicated hardware. An HSM (Hardware Security Module) is a specialized hardware device for cryptographic processing that handles key generation, storage, and encryption entirely within the hardware. Unlike software-based key management, keys are never exposed in plaintext in memory, achieving extremely high security.

Differences from KMS

AWS also offers KMS (Key Management Service) for managing encryption keys. While KMS is fully managed and easy to use, CloudHSM gives users dedicated HSMs with complete control over their keys. With KMS, AWS manages key backups and availability, but with CloudHSM, users manage cluster configuration and backups themselves. Choose CloudHSM when regulations require a dedicated HSM or when you need standard interfaces like PKCS#11 or JCE.

Cluster Configuration and Availability

CloudHSM operates in a cluster configuration. By placing HSM instances across multiple Availability Zones, you can ensure high availability. HSMs within a cluster automatically synchronize keys, so if one HSM fails, others can continue processing. For production environments, it is recommended to deploy at least two HSMs in different Availability Zones. For a deeper understanding of cluster configuration and availability, check out related books on Amazon.

Getting Started

To start using CloudHSM, create a cluster in the CloudHSM console and specify a VPC and subnets. Add HSM instances to the cluster and perform initialization. Next, install the CloudHSM client software on an EC2 instance and connect to the HSM. Create a Crypto User to begin generating and managing keys.

Things to Watch Out For

  • CloudHSM is billed hourly at approximately $1.50/hour per HSM. It is significantly more expensive than KMS, so consider KMS if you don't have regulatory requirements
  • Losing the HSM administrator password means losing access to your keys. Establish secure password storage and recovery procedures in advance
  • CloudHSM clusters are deployed within a VPC, so the connecting EC2 instance must be in the same VPC or have a peering connection
共有するXB!

Related Services

AWS KMS iconAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS Certificate Manager iconAWS Certificate ManagerA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Secrets Manager iconAWS Secrets ManagerSecurely manage and automatically rotate database passwords and API keys

Related Articles

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.Where Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.Cloud Payment Processing with AWS Payment Cryptography - Cryptographic Key Management and PIN VerificationLearn how Payment Cryptography manages payment cryptographic keys, encrypts and decrypts PIN blocks, and achieves PCI DSS compliance.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWSAWS Firewall Manager iconAWS Firewall Manager SpecializedA service for centrally managing firewall rules across your entire AWS Organization

Similar Articles and Services

AWS CloudHSMA service that provides dedicated FIPS 140-2 Level 3 certified hardware security modules for generating, storing, and performing cryptographic operations with encryption keys in the cloudDedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Hardware Security Modules - Dedicated Cryptographic Key Management with AWS CloudHSMLearn about dedicated cryptographic key management with AWS CloudHSM. Covers when to choose CloudHSM over KMS, FIPS 140-2 Level 3 compliance, TLS offloading, and Oracle TDE integration.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.Where Are KMS Encryption Keys Stored? - How Envelope Encryption and HSMs WorkThis article explains how KMS master keys are stored inside FIPS 140-2 certified HSMs, how envelope encryption provides double protection for data keys, and the internal workings of key rotation.