CloudHSM

Introduction

• A cloud-based hardware security module (HSM)

• By you to manage the encryption keys (not AWS).

Feature

• Tamper resistant (be evaluated with FIPS 140-2 Level 3 compliance)

• Supports both symmetric / asymmetric encryption (SSL / TLS keys)

• Not available in free tier

• Must use CloudHSM Client Software (no AWS CLI / API)

  • Manage keys

  • Manage users

• Redshift supports CloudHSM for database encryption and key management

• Good option to use SSE-C encryption.

• CloudHSM clusters can contain multiple HSMs, spread across Multi-AZs for high availability and durability.

Scenario

• If there's some reason not using ELB for SSL termination, EC2 instances have to read SSL private certificate and do the decryption.That would eat up some CPU resources. SSL/TLS offload in CloudHSM (SSL acceleration) can be utilized for such case (if it's Linux, Nginx and Apache Web Server can be integrated).