AWS CloudHSM is a single tenant solution for secure storage of tokens, keys, and certificates. Customers get access to a dedicated HSM appliance, managed and monitored by AWS. They're isolated in a customer's private VPC.
Clusters are collections of individual HSMs kept in sync by AWS. Between 1 and 28 HSMs can be spread across a region's availability zones. The default limit is 6.
Administration of CloudHSM clusters is performed through a series of command line applications:
cloudhsm_mgmt_utilperforms user management operations.
key_mgmt_utilallows managing stored keys.
cloudhsmv2for managing clusters and individual HSMs.
- Helper tools
pkpspeedlet you sync configuration files with all the HSMs in a cluster and measure performance of the underlying hardware.
Use as KMS custom key store
Note the following limitations:
- No support for asymmetric CMKs or asymmetric data key pairs.
- Imported key material isn't supported.
- Automatic key rotation can't be enabled for CMKs stored in a CloudHSM cluster.
If custom key stores meet your requirements, configure one as follows:
- Create a CloudHSM cluster with at least two active HSMs spread across two AZs.
- Create a dedicated crypto user account for KMS.
- From the KMS service, create a custom key store associated with the CloudHSM cluster.
- Connect KMS to the CloudHSM cluster.
Ensure that when creating CMKs you select the custom key store.