AWS CloudHSM is a single tenant solution for secure storage of tokens, keys, and certificates. Customers get access to a dedicated HSM appliance, managed and monitored by AWS. They're isolated in a customer's private VPC.

Clusters are collections of individual HSMs kept in sync by AWS. Between 1 and 28 HSMs can be spread across a region's availability zones. The default limit is 6.


Administration of CloudHSM clusters is performed through a series of command line applications:

  • cloudhsm_mgmt_util performs user management operations.
  • key_mgmt_util allows managing stored keys.
  • cloudhsmv2 for managing clusters and individual HSMs.
  • Helper tools configure and pkpspeed let you sync configuration files with all the HSMs in a cluster and measure performance of the underlying hardware.

Use as KMS custom key store

Note the following limitations:

  • No support for asymmetric CMKs or asymmetric data key pairs.
  • Imported key material isn't supported.
  • Automatic key rotation can't be enabled for CMKs stored in a CloudHSM cluster.

If custom key stores meet your requirements, configure one as follows:

  1. Create a CloudHSM cluster with at least two active HSMs spread across two AZs.
  2. Create a dedicated crypto user account for KMS.
  3. From the KMS service, create a custom key store associated with the CloudHSM cluster.
  4. Connect KMS to the CloudHSM cluster.

Ensure that when creating CMKs you select the custom key store.