Learn more on how Encryption Consulting helps the customer manage and automate their Key orchestration

Click Here

    Overview of AWS KMS and AWS CloudHSM

    26 Mar 2020

    Overview – AWS KMS and CloudHSM

    Posted By
    AWS has been architected to be one of the most flexible and secure cloud computing environments available. Designed for a scalable, dependable platform, this enables customers to deploy applications and data securely and rapidly. Organizations are continuously moving their infrastructure and applications to cloud service providers. However, security issues play a significant role in making the migration decision. Today, organizations lack clarity on available options for hosting crypto keys in the cloud. For Amazon Web Services, AWS provides two services of crypto key management on their cloud, AWS Key Management Service (KMS) or AWS CloudHSM.
    AWS CloudHSM

    AWS CloudHSM is a cloud-based hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs for administering and managing the encryption keys, but not having to worry about managing HSM Hardware in a data center.

    AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given for users how keys are used through an authentication mechanism separate from AWS. AWS CloudHSM supports multiple use cases including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, storing private keys for various services such as database, storage and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.

    Below is the table which summarizes the AWS Cloud HSM Crypto Properties

    AWS CloudHSMCrypto Properties
    Tenant Single-Tenant
    Standard FIPS 140-2 Level 3 Common Criteria EAL4+( supported by cloudHSM classic older model)
    Master Keys Master Key HSM
    Crypto Key types
    • Symmetric – AES (Modes supported CBC, GCM and ECB)
    • Asymmetric – RSA, ECC
    • Hashing – SHA-256, SHA-512, RSA, ECDSA
    API Support
    • PKCS11
    • OpenSSL
    • JCE
    • Crypto next generation (CNG)
    Access Authentication/Policy Quorum based K of N principle
    Key Accessibility Can be accessed and shared across multiple VPC
    High Availability ADD HSM in Different Availability Zones
    Audit Capability
    • CloudTrail
    • Cloud Watch
    • MFA support
    AWS Key Management Services (KMS)

    AWS KMS allows for your organization to create and control keys for cryptographic operations. This includes key generation, storage, management, and auditing when in the process of encrypting/decrypting or digitally signing data for applications or across AWS services. AWS KMS allows ability of complete security through managed encryption keys across AWS platforms.  Centralized key management gives the user a central point of control for managing keys and defining access policies throughout all integrated AWS services. With AWS KMS, you will have the ability to create a customer master key (CMK) generally known as a master key, use a master key, create and export a data key encrypted by a master key, enable/disable master keys, and audit the usage of master keys in AWS CloudTrail. AWS incorporates Master keys and Data keys. The Master key will not leave the AWS KMS service in an unencrypted form. With AWS KMS, specific access policies can be set for only trusted users that can use CMKs. In AWS KMS, Bring your own key (BYOK) feature is available to import your own key material into that CMK, however, the imported key material is supported only for symmetric CMKs in AES-256-XTS keys in PKCS#1 standard format. AWS KMS can be paired with AWS CloudHSM cluster to create the key material for a CMK that can be managed by AWS KMS service.

    AWS Key Management Service Crypto Properties
    Tenant Multi-Tenant
    Standard FIPS 140-2 Level 2
    Master Keys
    • Customer Owned Master key
    • AWS Managed Master Key
    • AWS owned Master key
    Crypto Keys
    • Symmetric
    • Asymmetric AES in XTS mode only
    Crypto API AWS SDK/API for KMS
    Access Authentication/Policy AWS IAM Policy
    Key Accessibility Accessible in multiple regions (Keys outside the region in which created cant be used)
    High Availability AWS Managed Service
    Audit Capability
    • CloudTrail
    • Cloud Watch
    AWS KMS. And AWS CloudHSM
    AWS CloudHSM provides single tenant key storage giving FIPS 140-2 Level 3 compliance. CloudHSM allows full control of your keys such including Symmetric (AES), Asymmetric (RSA), Sha-256, SHA 512, Hash Based, Digital Signatures (RSA). On the other hand, AWS Key Management Service is a multi-tenant key storage that is owned and managed by AWS. AWS KMS allows supports Customer Master Keys for symmetric key encryption (AES-256-XTS) and asymmetric keys (RSA or elliptic curve (ECC). If your organization’s key management strategy for encryption will be running a singular cloud service provider for now and for the foreseeable future, then AWS KMS will provide the simplest environment to maintain. However, if you are planning on taking advantage of multiple cloud providers but do not wish to maintain the HSM’s, AWS CloudHSM may be the solution for your organization to allow for encryption keys separated from the data of the other platforms that are being utilized.

    Want to learn from AWS Experts

    We train some of the biggest names in the industry through virtual & Live Classes

    Get a Free Quote for your Cloud Advisory Services

    Free Downloads for Encryption security