AWS and AWS partners offer various options such as AWS KMS to protect your data in AWS. However, due to contractual, regulatory compliance, or corporate requirements for security of an application or sensitive data, you might need additional protection. AWS CloudHSM is a cloud-based dedicated, single-tenant HSM allowing you to include secure key storage and high-performance crypto operations to your applications on the AWS platform. It enables you to securely generate, store, manage, and protect encryption keys in a way that these keys are accessible only by you or authorized users that only you specify and no one else.

AWS CloudHSM is a fully managed service that takes care of administrative, time-consuming tasks such as backups, software updates, hardware provisioning, and high availability by automating these tasks. However, AWS does not have any access to configure, create, manage, or use your CloudHSM. You can quickly scale by adding or removing HSM capacity on-demand with no upfront costs.

An HSM is a hardware device providing secure key storage and cryptographic operations inside a tamper-proof hardware appliance.

AWS CloudHSM runs in your VPC, as shown in the following figure, so it is secure by design as all VPC security features are available to secure your CloudHSM.

Figure 4: AWS CloudHSM