What is AWS CloudHSM? - AWS CloudHSM

What is AWS CloudHSM?

AWS CloudHSM combines the benefits of the AWS cloud with the security of hardware security modules (HSMs). A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys. With AWS CloudHSM, you have complete control over high availability HSMs that are in the AWS Cloud, have low-latency access, and a secure root of trust that automates HSM management (including backups, provisioning, configuration, and maintenance).

AWS CloudHSM offers customers a variety of benefits:

HSMs are FIPS 140-2 level-3 validated

AWS CloudHSM uses general purpose HSMs that are standards-compliant, single-tenant, and FIPS 140-2 level-3 validated. They provide more flexibility when compared to the fully-managed AWS services that have predetermined algorithms and key lengths for your application.

E2E encryption is not visible to AWS

Because your data plane is end-to-end (E2E) encrypted and not visible to AWS, you control your own user management (outside of IAM roles). The trade off for this control is you have more responsibility than if you used a managed AWS service.

Full control of your keys, algorithms, and application development

AWS CloudHSM gives you full control of the algorithms and keys you use. You can generate, store, import, export, manage, and use cryptographic keys (including, session keys, token keys, symmetric keys and asymmetric key pairs). Additionally, AWS CloudHSM SDKs give you full control over application development, application language, threading, and where your applications physically exist.

Migrate your cryptographic workloads to the cloud

Customers migrating public key infrastructure that use Public Key Cryptography Standards #11 (PKCS #11), Java Cryptographic Extension (JCE), Cryptography API: Next Generation (CNG), or key storage provider (KSP) can migrate to AWS CloudHSM with fewer changes to their application.

Access to FIPS and non-FIPS clusters

To learn more about what you can do with AWS CloudHSM, see the following topics. When you are ready to get started with AWS CloudHSM, see Getting started.


If you want a managed service for creating and controlling your encryption keys but you don't want or need to operate your own HSMs, consider using AWS Key Management Service.

If you are looking for an elastic service that manages payment HSMs and keys for payment processing applications in the cloud, consider using AWS Payment Cryptography.