The AWS Cloud HSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management.
- You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you.
- AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules.
- By placing CloudHSMs in your VPC near your EC2 instances, you can reduce network latency and increase the performance of your AWS applications that use HSMs.
- Use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing.
- Applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM
- CloudHSM must be provisioned inside a VPC.
Encryption and Key Management in AWS (Basics of encryption on client/server side: Until 22:00 mins; HSM : 22:50 – 40:00; Netflix Use case: 46:00)