Toggle Nav

Amazon AWS CloudHSM

In stock
SKU:
AWS CloudHSM
  • 24×7 remote and on-site support
  • Multi-vendor solutions & services
  • Local billing in 33+ countries
  • Competitive Price

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

CloudHSM is standards-compliant and enables you to export all of your keys to most other commercially-available HSMs, subject to your configurations. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs.

Benefits

  • Generate and use encryption keys on FIPS 140-2 level 3 validated HSMs

AWS CloudHSM enables you to generate and use your encryption keys on FIPS 140-2 Level 3 validated hardware. CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSM instances in your own Amazon Virtual Private Cloud (VPC).

  • Deploy secure, compliant workloads

Utilizing HSMs as the root of trust helps you demonstrate compliance with security, privacy, and anti-tamper regulations such as HIPAA, FedRAMP, and PCI. AWS CloudHSM enables you to build secure, compliant workloads with high reliability and low latency, using HSM instances in the AWS cloud.

  • Use an open HSM built on industry standards

You can use AWS CloudHSM to integrate with custom applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries. You can also transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of AWS.

  • Keep control of your encryption keys

AWS CloudHSM provides you access to your HSMs over a secure channel to create users and set HSM policies. The encryption keys that you generate and use with CloudHSM are accessible only by the HSM users that you specify. AWS has no visibility or access to your encryption keys.

  • Easy to manage and scale

AWS CloudHSM automates time-consuming HSM administrative tasks for you, such as hardware provisioning, software patching, high availability, and backups. You can scale your HSM capacity quickly by adding and removing HSMs from your cluster on-demand. AWS CloudHSM automatically load balances requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster.

  • Control AWS KMS keys

You can configure AWS Key Management Service (KMS) to use your AWS CloudHSM cluster as a custom key store rather than the default KMS key store. With a KMS custom key store you benefit from the integration between KMS and AWS services that encrypt data while retaining control of the HSMs that protect your KMS master keys. KMS custom key store gives you the best of both worlds, combining single-tenant HSMs under your control with the ease of use and integration of AWS KMS.

How it works

product-page-diagram_AWS-CloudHSM_HIW

Use cases

  • Offload the SSL processing for web servers

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are used to confirm the identity of web servers and establish secure HTTPS connections over the Internet. You can use AWS CloudHSM to offload SSL/TLS processing for your web servers. Using CloudHSM for this processing reduces the burden on your web server and provides extra security by storing your web server's private key in CloudHSM.

product-page-diagram_CloudHSM_offload-ssl

  • Protect private keys for issuing certificate authority (CA)

In a public key infrastructure (PKI), a certificate authority (CA) is a trusted entity that issues digital certificates. These digital certificates are used to identify a person or organization. You can use AWS CloudHSM to store your private keys and sign certificate requests so that you can securely act as an issuing CA to issue certificates for your organization.

product-page-diagram_CloudHSM_ca-1

  • Enable Transparent Data Encryption (TDE) for Oracle databases

You can use AWS CloudHSM to store the Transparent Data Encryption (TDE) master encryption key for your Oracle database servers that support TDE. Support for SQL Server is coming soon. With TDE, supported database servers can encrypt data before storing it on disk. Please note Amazon RDS for Oracle does not support TDE with CloudHSM; you should use AWS Key Management Service for this use case.

product-page-diagram_CloudHSM_database

AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications. CloudHSM has no upfront costs and provides the ability to start and stop HSMs on-demand, allowing you to provision capacity when and where it is needed quickly and cost-effectively. CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.

CloudHSM is one of several AWS services, including AWS Key Management Service (KMS), which offer a high level of security for your cryptographic keys. KMS provides an easy, cost-effective way to manage encryption keys on AWS that meets the security needs for the majority of customer data. CloudHSM offers customers the option of single-tenant access and control over their HSMs.

Key features

  • Tamper-resistant and FIPS 140-2 Level 3 compliant HSMs

AWS CloudHSM offers single-tenant access to tamper-resistant HSMs that comply with the U.S. Government’s FIPS 140-2 Level 3 standard for cryptographic modules.

  • Scalable HSM capacity

AWS CloudHSM makes it easy to scale your HSM capacity. You can add and remove HSMs on-demand using the AWS Management Console and AWS API.

  • Open solution

AWS CloudHSM is an open solution that eliminates vendor lock-in. With CloudHSM, you can transfer your keys to other commercial HSM solutions to make it easy for you to migrate keys on or off of the AWS Cloud.

  • Industry-standard APIs

AWS CloudHSM offers integration with custom applications via industry-standard APIs and supports multiple programming languages, including PKCS#11, Java Cryptography Extensions (JCE), and Microsoft CryptoNG (CNG) libraries.

  • Secure authentication

AWS CloudHSM supports quorum authentication for critical administrative and key management functions. CloudHSM also supports multi-factor authentication (MFA) using tokens you provide.

  • AWS-managed infrastructure

AWS CloudHSM is a managed service that automates time-consuming administrative tasks, such as hardware provisioning, software patching, high availability, and backups.

Secure and highly-available by design

  • Secure VPC access

AWS CloudHSM runs in your own Amazon Virtual Private Cloud (VPC), enabling you to easily use your HSMs with applications running on your Amazon EC2 instances. With CloudHSM, you can use standard VPC security controls to manage access to your HSMs. Your applications connect to your HSMs using mutually authenticated SSL channels established by your HSM client software. Since your HSMs are located in Amazon datacenters near your EC2 instances, you can reduce the network latency between your applications and HSMs versus an on-premises HSM.

A: AWS manages the hardware security module (HSM) appliance, but does not have access to your keys

B: You control and manage your own keys

C: Application performance improves (due to close proximity with AWS workloads)

D: Secure key storage in tamper-resistant hardware available in multiple Availability Zones (AZs)

E: Your HSMs are in your Virtual Private Cloud (VPC) and isolated from other AWS networks.

CloudHSM_Diagrams_2-final

  • Separation of duties

Separation of duties and role-based access control is inherent in the design of the AWS CloudHSM. AWS monitors the health and network availability of your HSMs but is not involved in the creation and management of the key material stored within your HSMs. You control the HSMs and the generation and use of your encryption keys.

CloudHSM_Diagrams_3 copy

  • Load balancing and high availability

AWS CloudHSM automatically load balances requests and securely duplicates keys stored in any HSM to all of the other HSMs in the cluster. This provides additional cryptographic capacity and improves the durability of the keys. By storing multiple copies of your keys across HSMs located in different Availability Zones (AZs), your keys will be available and protected in the event that a single HSM becomes unavailable. Using at least two HSMs across multiple AZs is Amazon’s recommended configuration for availability and durability.

CloudHSM_Diagrams_1-b

AWS CloudHSM Client load balances requests and securely replicates key material among participating HSMs in the cluster.

Related Products

Custom Solutions
Competative Prices
Global Logistics
24*7*365 Support