AWS KMS
AWS CloudHSM key stores
-
AWS CloudHSM: managed hardware security module (HSM) in the AWS cloud
-
For most users, the default AWS KMS key store, fulfils their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service.
-
You might consider creating a custom key store if your organisation has any of the following requirements:
- you have keys that are explicitly required to be protected in a single tenant HSM or in an HSM that you have direct control over
- you need the ability to immediately remove key materials from AWS KMS
- you need to be able to audit all use of your keys independently of AWS KMS or AWS CloudTrail
-
An AWS CloudHSM key store is a custom key store