AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.
Generate and use encryption keys on highly secure HSMs
AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 compliant HSM. CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSMs in your own Amazon Virtual Private Cloud (VPC).
Pay as you go with no upfront costs
With AWS CloudHSM, you can start and stop your HSMs on-demand to provision HSM capacity when and where you need, with no upfront costs.
Use an open HSM built on industry standards
You can use AWS CloudHSM to integrate with custom applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. You can also transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of AWS.
Keep control of your encryption keys
AWS CloudHSM provides you access to your HSMs over a secure channel to create users and set HSM policies. The encryption keys that you generate and use with CloudHSM are accessible only by the HSM users that you specify. AWS has no visibility or access to your encryption keys.
Protect your keys with strong authentication
AWS CloudHSM also supports Quorum authentication for critical administrative and key management functions, and multi-factor authentication (MFA) using tokens you provide.
Easy to manage
AWS CloudHSM is a managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high availability, and backups. You can scale your HSM capacity quickly by adding and removing HSMs from your cluster on-demand.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to confirm the identity of web servers and establish secure HTTPS connections over the Internet. You can use AWS CloudHSM to offload SSL/TLS processing for your web servers. Using CloudHSM for this processing reduces the burden on your web server and provides extra security by storing your web server's private key in CloudHSM.
In a public key infrastructure (PKI), a certificate authority (CA) is a trusted entity that issues digital certificates. These digital certificates are used to identify a person or organization. You can use AWS CloudHSM to store your private keys and act as an issuing CA to issue certificates for your organization.
You can use AWS CloudHSM to store the Transparent Data Encryption (TDE) master encryption key for your Oracle database servers that support TDE. With TDE, supported Oracle database servers can encrypt data before storing it on disk. Please note that Amazon RDS for Oracle does not support TDE with CloudHSM.
It's easy to get started with AWS CloudHSM. Follow our console walkthrough to deploy your first directory in a few clicks.
