AWSGlossary

AWS CloudHSM: What It Is and When to Use It

Definition

AWS CloudHSM is a cloud-based service that provides dedicated, single-tenant Hardware Security Module (HSM) instances within the AWS cloud. It allows customers to securely generate, store, and manage their cryptographic keys in hardware that is validated against stringent government standards, such as FIPS 140-2 Level 3, helping them meet strict contractual and regulatory compliance requirements.

How It Works

AWS CloudHSM provides a high degree of control and security by provisioning HSMs within a customer's Amazon Virtual Private Cloud (VPC). The architecture is designed for security, high availability, and performance.

  1. Cluster-Based Architecture: You begin by creating a CloudHSM cluster, which is a collection of individual HSM instances that are automatically synchronized. This cluster acts as a single logical HSM. You can deploy HSMs across multiple Availability Zones (AZs) within a region to ensure high availability and redundancy.

  2. VPC Integration: The HSMs are provisioned with Elastic Network Interfaces (ENIs) inside your VPC. This means they are accessible only from within your private network (e.g., from Amazon EC2 instances), and you can use standard VPC security controls like security groups to manage access.

  3. Client-Side Interaction: To interact with the HSMs, you install the AWS CloudHSM client software on your application instances (e.g., EC2). This client establishes a secure, end-to-end encrypted communication channel with the HSMs in the cluster. Your applications then use standard cryptographic APIs—such as PKCS#11, Java Cryptography Extensions (JCE), or Microsoft CryptoNG (CNG)—to send requests to the HSM.

  4. Secure Key Management: All cryptographic operations, including key generation and usage, happen inside the tamper-resistant hardware of the HSM. Keys are never exposed in plaintext outside the HSM's cryptographic boundary. AWS personnel have no access to your key material. You have full control over the key lifecycle, managed by designated user roles like the Crypto Officer (CO) and Crypto User (CU).

  5. High Availability and Load Balancing: The CloudHSM service automatically load balances cryptographic requests across all HSMs in the cluster. If an HSM fails, AWS automatically replaces the unhealthy instance, and the cluster synchronization ensures that keys are durable and available on the remaining HSMs.

Key Features and Limits

  • FIPS 140-2 Level 3 Validation: The service uses HSMs validated at FIPS 140-2 Level 3, which includes requirements for physical tamper-evidence and strong role-based authentication. Newer instances also support FIPS 140-3 Level 3.
  • Single-Tenant Hardware: Unlike multi-tenant services, each CloudHSM instance is dedicated to a single customer, providing physical and logical isolation.
  • Full Customer Control: You have exclusive control over the generation, storage, and management of your keys. AWS cannot access or use your keys.
  • Scalability and High Availability: Clusters can scale by adding or removing HSMs on demand. A single cluster can contain up to 28 HSMs, spread across different AZs for resilience.
  • Standard API Support: Integrates with applications using standard libraries like PKCS#11, JCE, and CNG, making it compatible with a wide range of software.
  • Service Quotas (as of 2026):
    • HSMs per cluster: 28 (not adjustable).
    • Clusters per region: 4 (adjustable).
    • HSMs per account per region: 6 (adjustable).
    • Keys per cluster: Varies by instance type (e.g., 16,666 for hsm2m.medium).
    • Users per cluster: Varies by instance type (e.g., 1,024 for hsm2m.medium).

Common Use Cases

  • Regulatory and Contractual Compliance: Meeting stringent requirements in industries like finance (PCI DSS), healthcare (HIPAA), and public sector that mandate the use of validated, single-tenant HSMs for key management.
  • Public Key Infrastructure (PKI): Securely storing the private keys for a root or issuing Certificate Authority (CA) to sign certificates, ensuring the integrity of the PKI hierarchy.
  • Transparent Data Encryption (TDE) for Databases: Storing the master encryption keys for database systems like Oracle TDE, offloading the cryptographic operations to a dedicated hardware device.
  • Digital Signatures and Code Signing: Protecting the private keys used for signing financial transactions, legal documents, or software code to ensure authenticity and integrity.
  • Offloading SSL/TLS Processing: Using the HSM to perform the intensive cryptographic handshake operations for web servers, protecting their private keys from being exposed in memory.

Pricing Model

AWS CloudHSM pricing is straightforward with no upfront costs or long-term commitments.

  • Hourly Billing: You are charged a fixed hourly rate for each HSM instance you provision.
  • Prorated to the Second: Billing is prorated to the second, meaning you only pay for the exact time an HSM is running.
  • No Per-Request Fees: Unlike some other services, there are no additional charges for the number of API requests or cryptographic operations performed.
  • Associated Costs: Standard AWS data transfer fees apply for data moving in and out of the VPC.

For the most current pricing, it is always best to consult the official AWS CloudHSM pricing page and the AWS Pricing Calculator.

Pros and Cons

Pros:

  • Highest Level of Security and Compliance: Provides single-tenant, FIPS 140-2 Level 3 validated hardware, meeting the strictest compliance mandates.
  • Complete Key Control: Offers exclusive, administrative control over keys and the cryptographic environment. AWS has no access.
  • High Performance: Dedicated hardware can handle high-volume cryptographic workloads and offload processing from application servers.
  • Standard API Integration: Broad compatibility with existing applications through standard cryptographic interfaces.

Cons:

  • Higher Cost: Significantly more expensive than multi-tenant solutions like AWS KMS due to the dedicated hardware.
  • Increased Operational Overhead: Requires more management effort. You are responsible for configuring the cluster, managing HSM users, performing key backups, and integrating the client software.
  • Complexity: The setup and integration process is more complex than a fully managed service, requiring deeper knowledge of networking and key management principles.

Comparison with Alternatives

AWS CloudHSM vs. AWS Key Management Service (KMS)

This is the most common comparison, as both services manage cryptographic keys. The choice depends on your specific control and compliance needs.

| Feature | AWS CloudHSM | AWS Key Management Service (KMS) | | :--- | :--- | :--- | | Tenancy | Single-tenant; dedicated hardware for each customer. | Multi-tenant; uses a shared fleet of HSMs, with logical isolation. | | FIPS Validation | FIPS 140-2 and FIPS 140-3 Level 3 validated. | HSMs are FIPS 140-2 and FIPS 140-3 Level 3 certified. | | Control | Full control over key generation and lifecycle. You manage users directly on the HSM. | Managed control through IAM policies and key policies. You do not directly access the HSM. | | Management | Customer-managed; requires client software installation, cluster configuration, and user management. | AWS-managed; a fully managed service with a simple API, handling hardware and software maintenance. | | Cost Model | Per-HSM per-hour billing. More expensive. | Pay-per-use (per key per month and per API call). More cost-effective for most use cases. | | Use Case | Strict compliance (e.g., PCI DSS), single-tenant requirements, moving applications that require direct HSM access. | General-purpose encryption, integration with other AWS services (S3, EBS, RDS), centralized key management. |

Guidance: Use AWS KMS by default for its simplicity, cost-effectiveness, and deep integration with AWS services. Choose AWS CloudHSM only when you have a specific regulatory or corporate mandate for single-tenant, FIPS-validated hardware that you directly control.

Exam Relevance

AWS CloudHSM is a key topic on security-focused and professional-level AWS certification exams.

  • AWS Certified Security - Specialty (SCS-C02): Expect in-depth questions on CloudHSM architecture, use cases, and its comparison with KMS. You need to know when to choose one over the other based on compliance and control requirements.
  • AWS Certified Solutions Architect - Professional (SAP-C02): Questions may test your ability to design secure, compliant, and resilient architectures. Understanding how CloudHSM fits into a VPC and integrates with applications is crucial.

For all exams, the most critical concept to master is the difference between CloudHSM and KMS. Know that CloudHSM means single-tenant, customer-managed hardware for the highest level of compliance and control.

Frequently Asked Questions

Q: What is the main difference between AWS CloudHSM and AWS KMS?

A: The primary differences are tenancy, control, and management model. AWS CloudHSM provides single-tenant, dedicated hardware that you control and manage directly. AWS KMS is a multi-tenant, fully managed service where AWS manages the underlying hardware, and you control access to your keys via IAM and key policies.

Q: Can AWS access my keys in CloudHSM?

A: No. AWS provisions and maintains the HSM hardware, but they have no logical or cryptographic access to the HSMs or the key material stored within them. You retain exclusive control over your keys through dedicated HSM user accounts that you create and manage.

Q: Can I use keys from CloudHSM with other AWS services like Amazon S3 for server-side encryption?

A: Not directly. Most AWS services are integrated with AWS KMS for server-side encryption. However, you can use the KMS Custom Key Store feature, which allows you to create a KMS key that is backed by your AWS CloudHSM cluster. This combines the integration and ease of use of the KMS API with the dedicated control of a CloudHSM cluster.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/25/2026 / Updated: 5/25/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

Resource-Based vs Identity-Based Policies: How to Use Them

Understand AWS IAM identity-based vs resource-based policies. Learn what they are, how they differ, and when to use each for effective AWS security. See examples.

IAM Permissions Boundary: Control Max Permissions

An IAM Permissions Boundary sets the maximum permissions an IAM policy can grant. Learn how it prevents privilege escalation and when to use it.

IAM Access Analyzer: How It Works & When to Use It

IAM Access Analyzer formally verifies policies to identify and remediate unintended resource access. Learn how it monitors S3 buckets, IAM roles, and KMS keys for external sharing.

AWS Certificate Manager (ACM): Simplify SSL/TLS Certificates

AWS Certificate Manager (ACM) simplifies SSL/TLS certificate management for your AWS apps. Automate provisioning, renewal, and deployment. Learn how it works.

Multi-Factor Authentication (MFA): Secure Your AWS Account

Multi-Factor Authentication (MFA) adds a vital security layer to AWS IAM, requiring a second factor beyond passwords. Reduce unauthorized access risk. Learn how it works.

View all Security terms →