AWS CloudHSM cluster modes and HSM types

AWS CloudHSM offers two cluster modes: FIPS and non-FIPS. AWS CloudHSM also offers two HSM types: hsm1.medium and hsm2m.medium. Review the details on this page before deciding which cluster mode and HSM type is right for your needs.

Note

All clusters created before June 10, 2024 are in FIPS mode and have HSM type hsm1.medium.

To see your cluster's mode and HSM type, use the describe-clusters command.

Cluster modes

AWS CloudHSM offers clusters in two modes: FIPS and non-FIPS. In FIPS mode, only keys and algorithms that are approved by the Federal Information Processing Standard (FIPS) can be used. Non-FIPS mode offers all the keys and algorithms that are supported by AWS CloudHSM, regardless of FIPS approval.

The following table lists the major differences between each cluster mode:

Differentiating feature	FIPS mode	Non-FIPS mode
HSM type compatibility	Available with hsm1.medium.	Available with hsm2m.medium.
Backup compatibility	Can only be used to backup restore clusters in FIPS mode.	Can only be used to backup restore clusters in non-FIPS mode.
Key selection	Supports AWS CloudHSM keys that are FIPS approved¹.	Supports AWS CloudHSM keys that are both FIPS approved and not FIPS approved.
Algorithms	Supports AWS CloudHSM algorithms that are FIPS approved¹.	Supports AWS CloudHSM algorithms that are both FIPS approved and not FIPS approved.
Certification	FIPS 140-2, PCI PIN, and PCI-3DS compliant.

[1] See Deprecation notifications for details.

Before choosing a cluster mode, note that a cluster’s mode (FIPS or non-FIPS) cannot be changed after it is created, so ensure you select the right mode for your needs.

HSM types

In addition to cluster modes, AWS CloudHSM offers two HSM types: hsm1.medium and hsm2m.medium. Each HSM type uses different hardware, and each cluster can only contain one type of HSM. The following table lists the major differences between the two:

Differentiating feature	hsm1.medium	hsm2m.medium
Cluster mode compatibility	Available for clusters in FIPS mode.	Currently available for clusters in non-FIPS mode.
Backup compatibility	Can only be used to backup restore to hsm1.medium clusters.	Can only be used to backup restore hsm2m.medium clusters.
Key capacity	3,300 per cluster.	16,666 total keys, with asymmetric keys having a maximum of 3,333 per cluster.
Client SDKs	Supports all Client SDKs.	Supports all Client SDKs except for CNG and KSP providers.
Client SDK versions	Compatible with SDK version 3.1.0 and later.	Compatible with Client SDK version 5.12.0 and later.
Region availability	Available in all regions that CloudHSM is available.	Available in a limited number of regions with additional supported regions coming soon. To see the regions where this HSM type is available, refer to AWS CloudHSM pricing calculator.
Performance	To see the performance of each HSM type, refer to AWS CloudHSM Performance.
Certification	FIPS 140-2, PCI DSS, PCI PIN, SOC2, and PCI-3DS compliant.	PCI DSS compliant.

[1] See Deprecation notifications for details.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Managing clusters

Connecting to the cluster