AWS CloudHSM

AWS CloudHSM is designed for managing and protecting cryptographic keys in the cloud, particularly for applications subject to stringent regulatory and compliance requirements. This service utilizes dedicated Hardware Security Modules (HSMs) that are FIPS 140-2 Level 3 or FIPS 140-3 Level 3 validated, ensuring high security standards for key management.

The technical architecture of AWS CloudHSM involves creating a CloudHSM Cluster within your Amazon Virtual Private Cloud (VPC). Each cluster can contain multiple HSMs spread across multiple Availability Zones, providing high availability and load balancing. You have single-tenant access to these HSMs, and they appear as network resources within your VPC. The HSMs are managed by AWS in terms of firmware updates, but only firmware cryptographically signed by a FIPS key can be installed, ensuring no unauthorized access.

Operationally, you need to set up a VPC and create IAM administrative groups before deploying a CloudHSM cluster. The client software installed on your EC2 instances maintains a secure, authenticated connection to the HSMs, allowing your applications to perform cryptographic operations without AWS having visibility into your keys or data. This end-to-end encryption and the lack of AWS access to your cluster mean you have full control over key management and application development, but also more responsibility for user management and security.

Key technical details include the hourly pricing model with no upfront costs, the ability to add or remove HSMs from the cluster as needed, and automated daily backups of the cluster. The service supports various cryptographic standards and APIs, such as PKCS #11, JCE, and CNG, facilitating the migration of existing cryptographic workloads to the cloud.