AWS – CloudHSM

CloudHSM (Hardware Security Module): This is essentially the name of a dedicated physical machine that is seperate from all the other AWS hardware, and it is used to store encryption keys. If an outside party gains access to these keys, then your AWS infrastructure is compromised. Hence even AWS employees don’t have physical access to CloudHSM since they are locked in specially controlled rooms that is seperate from the rest of the AWS AZ’s hardware.

These keys are only used from inside the CloudHSM device itself. Because of this, the CloudHSM is responsible for decrypting data it receives, and decrypting data it sends out. CloudHSM has an API that all your other AWS resources can interact with. All the AWS resources that can interact with CloudHSM are referred to as “CloudHSM clients”. Therefore if our application needs data to be decrypted/encrypted then it interacts with CloudHSM via the api to get this done.

The CloudHSM devise has a lot of advanced logging feature to make it tamper resistant, and to let you know if it has been compromised.


The whole concept of CloudHSM exists to satisfy vairous security requirements of certain industries, e.g. government security requirements, banking security requirements, and online retail compliance (PCI compliance).

CloudHSM can be single point of failure, that’s why you should have at least 2 CloudHSM devices, one in each AZ.

Here are some of the different types of keys CloudHSM can be used to store:

  • Filesystem encryption keys
  • database encryption keys
  • Digital Rights Management (DRM) related keys
  • S3 related encryption keys