HSM in the Cloud – AWS CloudHSM Solution

Published by Amy Nihad on

KT Secure - penetration testing, software code signing, hsm management

If you are using AWS Cloud services and require strong encryption then utilising your on-premise HSM may be impractical or undesirable.  AWS Cloud HSM is a FIPS 140-2 Level 3 certified Hardware Security Module specifically deployed within the cloud utilising a Pay-As-You-Go (PAYG) charging model.  AWS CloudHSM offers storage and generation of encryption keys within and for use on the AWS Cloud.  CloudHSM offers easy integration via standard APIs such as PKCS#11, JCE and CNG providing multiple methods to give you applications access to cryptographic resources.

As with most cloud based services CloudHSM provides automation for many tasks, including provisioning, high-availability and backups.  CloudHSM provides on-demand capacity changes to enable easy scaling up and down based on projected demand and is a PAYG services with no up front costs.  As CloudHSM is standards compliant there is no need to worry about vendor lock-in as you are able to export keys to most other vendors Hardware Security Modules (subject to policy configuration).

Benefits of CloudHSM

Using a cloud based HSM offers numerous benefits a number of which are highlighted above and summarised here.  CloudHSM offers a standards based Security industry certified Hardware Security Module.  Using a CloudHSM allows you to meet the requirements for regulations such as HIPAA and PCI just as if you were using an on-premise HSM.  Although cloud based and provisioned by AWS, AWS has no access or visibility of the keys generated or stored within the CloudHSM.  If you use or Plan to use the Key Management Service (KMS) the CloudHSM can be used to store the KSM master keys to ensure the KMS keys are controlled by your organisation.

  • No up-front Costs
  • FIPS 140-2 level 3 validated HSMs
  • Deploy secure, HIPAA, FedRAMP or PCI compliant workloads
  • Use an open HSM built on industry standards
  • As easy to manage and scale as any other cloud resource
  • Control AWS Key Management Service keys

CloudHSM The Details

CloudHSM are physical HSM Appliances that are managed at the Hardware level by AWS and are provisioned in your organisations VPC.  As the HSM are provisioned into your VPC you can utilise the common VPC security controls to manage access control.  Applications that are hosted within the VPC benefit from local, low latency access to the HSM via the HSM client software using authenticated SSL.

  • AWS managed Hardware Security Module Appliances
  • You control and manage your own keys, AWS has no access to these keys
  • Lower Latency than on-premise HSM for applications within VPC
  • FIPS 140-2 Level 3 certified hardware available in Multiple availability zones
  • HSM dedicated to your VPC with you as the single tenant
  • AWS monitor HSM
  • Customer controls and manages key material and HSM access


CloudHSM can be used for many of the use-cases that on-premise Hardware Security Modules are used for; giving cloud based applications and workloads access to secure tamper-proof cryptographic services.

Some common applications where digital keys are in use and the use of a HSM is appropriate are outlined below:

Software Code Signing

Software Code Signing service the software end users or the systems on which the software is installed to verify that software images and updates are from a legitimate source.  Our Software Code Signing service is utilised by premium automotive manufacturers to verify the software that is deployed to numerous vehicle Electronic Control Units (ECU).  We utilise HSMs to offload the cryptographic operations used within our service and to store the digital key material. 

Public Key Infrastructure (PKI)

In a PKI environment a Hardware Security Module is commonly used to create, store and managed the Asymmetric Key pairs that are used by the Certification and Registration authorities.

Secure Sockets Layer Connection Establishment

When processing large numbers of SSL connections host CPU utilisation can become an issue where performance is critical.  The RSA operations used in SSL are CPU intensive as they require a number of large multiplication operations.  To address these potential performance bottlenecks these operations can be offloaded to a HSM.

Transparent Data Encryption

CloudHSM can currently be used to store the Encryption Master Key for TDE on Oracle databases with support expected for SQL server in the future.

Need help with your HSM?

KT Secure have extensive experience using and managing Hardware Security Modules.  Whether you are looking for advice on how to use a HSM in your PKI infrastructure, offload your cryptographic operations to a HSM or looking for someone to deploy and manage your HSMs we can help.  Look here for more information about our HSM service offerings.

Although it may seem counter intuitive as to why an organisation may want to outsource the management of its HSMs to a third party – there are numerous business benefits:

  • Staff costs saved on both initial training and on-going certifications
  • Allows key Staff to focus on less admin related tasks and focus on higher end business processes
  • Utilising external supplier may provide more rapid deployment and business agility than internal resources
  • Ability to leverage external experience in best practices, process definitions and documentation support
  • Reduces vendor or solution tie in by utilising external expertise