Skip to main content

AWS KMS

AWS CloudHSM key stores

  • AWS CloudHSM: managed hardware security module (HSM) in the AWS cloud

  • For most users, the default AWS KMS key store, fulfils their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service.

  • You might consider creating a custom key store if your organisation has any of the following requirements:

    • you have keys that are explicitly required to be protected in a single tenant HSM or in an HSM that you have direct control over
    • you need the ability to immediately remove key materials from AWS KMS
    • you need to be able to audit all use of your keys independently of AWS KMS or AWS CloudTrail

  • An AWS CloudHSM key store is a custom key store backed by a AWS CloudHSM cluster. When you create an AWS KMS key in a custom key store, AWS KMS generates and stores non-extractable key material for the KMS key in an AWS CloudHSM cluster that you own and manage.

  • Each custom key store is associated with an AWS CloudHSM cluster in your AWS account

Tags:
Last updated on by daniel.guo