AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standards-compliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.
We created the AWS Security & Compliance Center to publish information about the various reports, certifications, and independent attestations that we’ve earned and to provide you with additional information about the security features that we’ve built in to AWS including Identity and Access Management, Multi-Factor Authentication, Key Rotation, support for server-side and client-side encryption in Amazon S3, and SSL support in the Elastic Load Balancer. The Security & Compliance Center is also home to the AWS Risk and Compliance White Paper and the AWS Overview of Security Processes.
- Generate and use encryption keys on highly secure HSMs
- Pay as you go with no upfront costs
- Use an open HSM built on industry standards
- Keep control of your encryption keys
- Protect your keys with strong authentication
- Easy to manage
Generate and use encryption keys on highly secure HSMs
AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 compliant HSM. CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSMs in your own Amazon Virtual Private Cloud (VPC).
Pay as you go with no upfront costs
With AWS CloudHSM, you can start and stop your HSMs on-demand to provision HSM capacity when and where you need, with no upfront costs.
Use an open HSM built on industry standards
You can use AWS CloudHSM to integrate with custom applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. You can also transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of AWS.
Keep control of your encryption keys
AWS CloudHSM provides you access to your HSMs over a secure channel to create users and set HSM policies. The encryption keys that you generate and use with CloudHSM are accessible only by the HSM users that you specify. AWS has no visibility or access to your encryption keys.
Protect your keys with strong authentication
AWS CloudHSM also supports Quorum authentication for critical administrative and key management functions, and multi-factor authentication (MFA) using tokens you provide.
Easy to manage
AWS CloudHSM is a managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high availability, and backups. You can scale your HSM capacity quickly by adding and removing HSMs from your cluster on-demand.