AWS CloudHSM

• AWS CloudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud
• AWS CloudHSM helps meet corporate, contractual and regulatory compliance requirements for data security by using dedicated HSM appliances within the AWS cloud.
• A hardware security module (HSM)
  • is a hardware appliance that provides secure key storage and cryptographic operations within a tamper-resistant hardware module.
  • are designed with physical and logical mechanisms, to securely store cryptographic key material and use the key material without exposing it outside the cryptographic boundary of the appliance.
  • physical protections include tamper detection and tamper response. When a tampering event is detected, the HSM is designed to securely destroy the keys rather than risk compromise
  • logical protections include role-based access controls that provide separation of duties
• CloudHSM allows encryption keys protection within HSMs, designed and validated to government standards for secure key management.
• CloudHSM helps comply with strict key management requirements within the AWS cloud without sacrificing application performance
• CloudHSM uses SafeNet Luna SA HSM appliances
• HSMs are located in AWS data centers, managed and monitored by AWS, but AWS does not have access to the keys
• AWS can’t help recover the key material if the credentials are lost
• HSMs are inside your VPC and isolated from the rest of the network
• CloudHSM provides single tenant dedicated access to each HSM appliance
• Placing HSM appliances near your EC2 instances decreases network latency, which can improve application performance
• Only you have access to the keys and operations to generate, store and manage on the keys
• Integrated with Amazon Redshift and Amazon RDS for Oracle
• Other use cases like EBS volume encryption and S3 object encryption and key management can be handled by writing custom applications and integrating them with CloudHSM