AWS CloudHSM is a cloud-based hardware security module that is customer-owned and managed. AWS CloudHSM acts as a single-tenant on hardware restricting it from being shared with other customers and applications. Organizations can utilize AWS CloudHSM for those wanting to use HSMs for administering and managing the encryption keys, but not having to worry about managing HSM Hardware in a data center.
AWS CloudHSM allows FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. Complete control is given for users how keys are used through an authentication mechanism separate from AWS. AWS CloudHSM supports multiple use cases including the following: management of Public/Private key pairs for Public Key Infrastructure (PKI), Code & Document Signing, storing private keys for various services such as database, storage and web applications, storing keys for DRM solution. AWS CloudHSM will allow your organization to meet compliances of key management requirements with the use Hardware Security Modules supervised by AWS with the ability to incorporate multiple platforms to store keys.
Below is the table which summarizes the AWS Cloud HSM Crypto Properties
|AWS CloudHSMCrypto Properties|
AWS Key Management Services (KMS)AWS KMS allows for your organization to create and control keys for cryptographic operations. This includes key generation, storage, management, and auditing when in the process of encrypting/decrypting or digitally signing data for applications or across AWS services. AWS KMS allows ability of complete security through managed encryption keys across AWS platforms. Centralized key management gives the user a central point of control for managing keys and defining access policies throughout all integrated AWS services. With AWS KMS, you will have the ability to create a customer master key (CMK) generally known as a master key, use a master key, create and export a data key encrypted by a master key, enable/disable master keys, and audit the usage of master keys in AWS CloudTrail. AWS incorporates Master keys and Data keys. The Master key will not leave the AWS KMS service in an unencrypted form. With AWS KMS, specific access policies can be set for only trusted users that can use CMKs. In AWS KMS, Bring your own key (BYOK) feature is available to import your own key material into that CMK, however, the imported key material is supported only for symmetric CMKs in AES-256-XTS keys in PKCS#1 standard format. AWS KMS can be paired with AWS CloudHSM cluster to create the key material for a CMK that can be managed by AWS KMS service.
|AWS Key Management Service Crypto Properties|