AWS CloudHSM
💡 Definition
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. It provides dedicated, single-tenant HSM appliances within your VPC.
🔑 Key Concepts
- HSM (Hardware Security Module): A physical computing device that safeguards and manages digital keys and performs encryption and decryption functions.
- Single-Tenant: The HSM appliance is dedicated to a single customer, providing a high level of security and isolation.
- FIPS 140-2 Compliance: Meets U.S. government standards for cryptographic modules.
- Customer-Controlled Keys: You have exclusive control over the generation and management of your cryptographic keys. AWS cannot access your keys.
⚙️ How it Works
- Create Cluster: You provision a CloudHSM cluster within your VPC.
- Generate Keys: You connect to the HSM and generate your keys.
- Integrate Application: Your applications use the CloudHSM client to interact with the HSM for cryptographic operations.
🎯 Use Cases
- Regulatory Compliance: Meeting strict compliance requirements that mandate the use of dedicated HSMs (e.g., PCI-DSS, HIPAA).
- Offloading SSL/TLS Processing: For web servers, improving performance by handling SSL/TLS processing on the HSM.
- Protecting Private Keys: Storing private keys for a Public Key Infrastructure (PKI) or Certificate Authority (CA).
💰 Pricing Model
- Hourly Fee: You are charged an hourly fee for each HSM instance that you launch.
📝 Exam Tips (CLF-C02)
- Keywords: "Hardware Security Module", "Dedicated HSM", "FIPS 140-2".
- Provides single-tenant, dedicated hardware for key storage.
- Contrasts with KMS, which is a multi-tenant, managed service. Use CloudHSM when you need more control and to meet stricter compliance mandates than KMS provides.