Using KMS keys in an AWS CloudHSM key store

After you create a symmetric encryption KMS key in an AWS CloudHSM key store, you can use it for the following cryptographic operations:

The operations that generate asymmetric data key pairs, GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext, are not supported in custom key stores.

When you use your KMS key in a request, identify the KMS key by its ID or alias; you do not need to specify the AWS CloudHSM key store or AWS CloudHSM cluster. The response includes the same fields that are returned for any symmetric encryption KMS key.

However, when you use a KMS key in an AWS CloudHSM key store, the cryptographic operation is performed entirely within the AWS CloudHSM cluster that is associated with the AWS CloudHSM key store. The operation uses the key material in the cluster that is associated with the KMS key that you chose.

To make this possible, the following conditions are required.

The key state of the KMS key must be Enabled. To find the key state, use the Status field in the AWS KMS console or the KeyState field in the DescribeKey response.
The AWS CloudHSM key store must be connected to its AWS CloudHSM cluster. Its Status in the AWS KMS console or ConnectionState in the DescribeCustomKeyStores response must be CONNECTED.
The AWS CloudHSM cluster that is associated with the custom key store must contain at least one active HSM. To find the number of active HSMs in the cluster, use the AWS KMS console, the AWS CloudHSM console, or the DescribeClusters operation.
The AWS CloudHSM cluster must contain the key material for the KMS key. If the key material was deleted from the cluster, or an HSM was created from a backup that did not include the key material, the cryptographic operation will fail.

If these conditions are not met, the cryptographic operation fails, and AWS KMS returns a KMSInvalidStateException exception. Typically, you just need to reconnect the AWS CloudHSM key store. For additional help, see How to fix a failing KMS key.

When using the KMS keys in an AWS CloudHSM key store, be aware that the KMS keys in each AWS CloudHSM key store share a custom key store request quota for cryptographic operations. If you exceed the quota, AWS KMS returns a ThrottlingException. If the AWS CloudHSM cluster that is associated with the AWS CloudHSM key store is processing numerous commands, including those unrelated to the AWS CloudHSM key store, you might get a ThrottlingException at an even lower rate. If you get a ThrottlingException for any request, lower your request rate and try the commands again. For details about the custom key store request quota, see Custom key store request quotas.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Viewing KMS keys in an AWS CloudHSM key store

Finding KMS keys and key material