Cloud Hardware Security Module (HSM)

The AWS Cloud HSM service allows you to protect your encryption keys within HSMs designed and validated to government standards for secure key management.


  • You can securely generate, store, and manage the cryptographic keys used for data encryption such that they are accessible only by you. 
  • AWS CloudHSM protects your cryptographic keys with tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules. 
  • By placing CloudHSMs in your VPC near your EC2 instances, you can reduce network latency and increase the performance of your AWS applications that use HSMs.
  • Use the CloudHSM service to support a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), Public Key Infrastructure (PKI), authentication and authorization, document signing, and transaction processing.
  • Applications use standard cryptographic APIs, in conjunction with HSM client software installed on the application instance, to send cryptographic requests to the HSM
  • CloudHSM must be provisioned inside a VPC.


Best Practices:

Video links:

Encryption and Key Management in AWS (Basics of encryption on client/server side: Until 22:00 mins; HSM : 22:50 – 40:00; Netflix Use case: 46:00)