aws kms vs cloudhsm


Let’s talk about CloudHSM, also doing a comparative, AWS KMS vs CloudHSM. In my previous post, we cover a lot about AWS KMS, and examples of how to use the command line.

So we have situations where data protection solutions that handle encryption keys or digital signatures demanding the use of private keys are critical.

What is AWS CloudHSM?

Hardware Security Modules or HSMs provide a tamper-resistant environment for handling these keys.

In this article, we’re going to discuss CloudHSM, which is an Amazon product too, and similar to KMS.

Two situations where your encryption keys are subordinate to corporate or regulatory requirements and therefore require validated authority.

Thus CloudHSM is a dedicated hardware security module product.

It adjusts to FIPs 140-2 level 3.

The FIPS is a U.S. Government computer security standard.

That’s used to validate cryptographic modules, and it has diverse different agreement levels.

So, compliance level 3 is where physical protection mechanisms might require the use of vital information and tamper detection or response systems that zero out the whole of your plain text cryptographic protection providers when the removable doors or protection of the cryptographic module within opened up. 

Besides that, remember when we discussed KMS? KMS is level two compliant, which means it requires to exhibit proof of tampering.

What is the difference between the KMS and CloudHSM?

The difference between KMS and CloudHSM is that you control your keys with CloudHSM.

CloudHSM gives a single-tenant multi-AZ cluster, and it’s exclusive to you.

KMS is multitenant; however, it uses HSMs within, but those are distributed over customer accounts, so it’s not exclusive only for you.

So, because it’s a managed service, you don’t possess any access to the AWS-managed component of CloudHSM.

Instead, you hold control above your access keys, and AWS themselves don’t have any access to your keys, and CloudHSM works inside a VPC in your account.

We’ll talk more about the architecture in just a second. 


So like I said, CloudHSM is a single-tenant dedicated hardware solution that works in a multi-AZ cluster for high availability. It additionally operates with industry-standard APIs. Unfortunately, there are no AWS APIs available for CloudHSM.

So if you have software productions that demand compliance with PKCS11Java cryptography extensions (JCE), or Microsoft crypto (NG), CloudHSM is the product for you.

Furthermore, see that you have to hold your keys secure with CloudHSM.

If you lose your keys, they’re unrecoverable.

Then now, let’s analyze the architecture for CloudHSM.

How is CloudHSM Deployed

You primary need to build a cluster either on your current VPC or a new VPC. So how this operates is that CloudHSM will work inside its VPC, devoted to CloudHSM from a safety isolation viewpoint, CloudHSM will extend ENIs or elastic network interfaces within the VPC of your choice.

And this is how your applications interact with the CloudHSM cluster within which you’ll build particular instances of HSMs.

It’s worth remembering that CloudHSM is not highly available by default.

You’ll need to provision HSMs over availability zones explicitly.

CloudHSM use cases: CloudHSM Multi AZ

The CloudHSM on multi-AZ cluster for high availability
The CloudHSM on multi-AZ cluster for high availability

If any of these HSMs fail or AZ becomes unavailable, you’ll yet have the other HSM instances.

The best approach, you’ll want to put one HSM by a subnet in each availability zone with a minimum of 2 AZs, as you notice on the diagram above, which is what’s prescribed by AWS. 


You know now that if you have severe regulatory compliance obligations or FIPs 140-2 level 3 for your environment or product, you’ll plausibly need to pick CloudHSM.

In our topic AWS KMS vs CloudHSM, we saw that those services are almost equal.

So that’s about all I needed to cover on CloudHSM. If you have any comments, feel free to reach out. 

2 thoughts on “AWS KMS vs CloudHSM”

  1. The doc for cloudHSM includes instructions for how to use it with Oracle’s TDE (transparent data encryption). I didn’t find similar instructions for AWS KMS. Do you know if AWS KMS can be used as the key provider for Oracle database running on AWS EC2 instance that use TDE for encryption?

    1. AWS KMS provides a way to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. However, for on-premises databases like Oracle running on EC2 instances, AWS CloudHSM might be a more suitable choice. CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your encryption keys on the AWS Cloud.

      Oracle TDE typically requires an HSM to secure its encryption keys. CloudHSM integrates with Oracle databases, making it possible to store TDE master encryption keys in a CloudHSM cluster.

      You might be able to create a solution where you use AWS KMS to protect the keys you then use with Oracle TDE, but that would likely require significant custom development work, and it wouldn’t be a direct, out-of-the-box integration like you have with CloudHSM.

      For the most up-to-date and specific information, I recommend reaching out to AWS support or consulting the latest AWS and Oracle documentation, as new features and integrations may have been introduced since my training data was last updated.

Leave a Comment

Your email address will not be published. Required fields are marked *

Free PDF with a useful Mind Map that illustrates everything you should know about AWS VPC in a single view.