Overview – AWS KMS and CloudHSM

AWS has been architected to be one of the most flexible and secure cloud computing environments available. Designed for a scalable, dependable platform, this enables customers to deploy applications and data securely and rapidly. Organizations are continuously moving their infrastructure and applications to cloud service providers. However, security issues play a significant role in making the migration decision. Today, organizations lack clarity on available options for hosting crypto keys in the cloud. For Amazon Web Services, AWS provides two services of crypto key management on their cloud, AWS Key Management Service (KMS) or AWS CloudHSM.

AWS CloudHSM

AWS CloudHSM is a cloud-based hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs for administering and managing the encryption keys, but not having to worry about managing HSM Hardware in a data center.

AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given for users how keys are used through an authentication mechanism separate from AWS. AWS CloudHSM supports multiple use cases including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, storing private keys for various services such as database, storage and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.

Below is the table which summarizes the AWS Cloud HSM Crypto Properties

AWS CloudHSM Crypto Properties
	Tenant Single-Tenant Standard FIPS 140-2 Level 3 Common Criteria EAL4+( supported by cloudHSM classic older model) Master Keys Master Key HSM Crypto Key types Symmetric – AES (Modes supported CBC, GCM and ECB) Asymmetric – RSA, ECC Hashing – SHA-256, SHA-512, RSA, ECDSA API Support PKCS11 OpenSSL JCE Crypto next generation (CNG) Access Authentication/Policy Quorum based K of N principle Key Accessibility Can be accessed and shared across multiple VPC High Availability ADD HSM in Different Availability Zones Audit Capability CloudTrail Cloud Watch MFA support

AWS Key Management Services (KMS)

AWS KMS allows for your organization to create and control keys for cryptographic operations. This includes key generation, storage, management, and auditing when in the process of encrypting/decrypting or digitally signing data for applications or across AWS services. AWS KMS allows ability of complete security through managed encryption keys across AWS platforms.  Centralized key management gives the user a central point of control for managing keys and defining access policies throughout all integrated AWS services. With AWS KMS, you will have the ability to create a customer master key (CMK) generally known as a master key, use a master key, create and export a data key encrypted by a master key, enable/disable master keys, and audit the usage of master keys in AWS CloudTrail. AWS incorporates Master keys and Data keys. The Master key will not leave the AWS KMS service in an unencrypted form. With AWS KMS, specific access policies can be set for only trusted users that can use CMKs. In AWS KMS, Bring your own key (BYOK) feature is available to import your own key material into that CMK, however, the imported key material is supported only for symmetric CMKs in AES-256-XTS keys in PKCS#1 standard format. AWS KMS can be paired with AWS CloudHSM cluster to create the key material for a CMK that can be managed by AWS KMS service.

AWS Key Management Service Crypto Properties
	Tenant Multi-Tenant Standard FIPS 140-2 Level 2 Master Keys Customer Owned Master key AWS Managed Master Key AWS owned Master key Crypto Keys Symmetric Asymmetric AES in XTS mode only Crypto API AWS SDK/API for KMS Access Authentication/Policy AWS IAM Policy Key Accessibility Accessible in multiple regions (Keys outside the region in which created cant be used) High Availability AWS Managed Service Audit Capability CloudTrail Cloud Watch

AWS KMS And AWS CloudHSM

AWS CloudHSM provides single tenant key storage giving FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS. AWS KMS allows supports Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC).
If your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future, then AWS KMS will provide the simplest environment to maintain. However, if you are planning on taking advantage of multiple cloud providers but do not wish to maintain the HSM’s, AWS CloudHSM may be the solution for your organization to allow for encryption keys separated from the data of the other platforms that are being utilized.