AWS GovCloud (US-West) User Guide
AWS GovCloud (US-West) User Guide

AWS CloudHSM

AWS CloudHSM offers secure cryptographic key storage for customers by providing managed hardware security modules in the AWS Cloud.

For more information about AWS CloudHSM, see the AWS CloudHSM User Guide.

ITAR Boundary

AWS CloudHSM offers secure cryptographic key storage for customers by providing managed hardware security modules in the AWS Cloud.

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in the AWS GovCloud (US-West) Region. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in the AWS GovCloud (US-West) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • AWS CloudHSM secret access keys are protected as ITAR-regulated data.

  • AWS CloudHSM metadata is not permitted to contain ITAR-regulated data. This includes all configuration data that you enter when creating and maintaining your AWS CloudHSM config. Audit and syslogs should not contain ITAR-regulated data.

AWS CloudHSM Root Certificate

If you choose to verify the identity of an HSM, be sure to use the root certificate for the AWS GovCloud (US-West) region rather than the root certificate that is available for commercial regions. You can download the certificate from AWS-US-GOV_CloudHSM_Root_G1.zip. Verification is an optional step that you can perform after you create an HSM. For more information about AWS CloudHSM, see the AWS CloudHSM User Guide. For more information about AWS CloudHSM Classic, see the AWS CloudHSM Classic User Guide.