AWS CloudHSM Cheat Sheet

Last updated on November 30, 2025

Bookmarks

Offload SSL/TLS Processing: Perform SSL termination for web servers (e.g., NGINX, Apache) securely within the HSM.
Certificate Authority (CA): Protect the private keys of an issuing CA (Public Key Infrastructure).
TDE (Transparent Data Encryption): Store encryption keys for Oracle Database TDE or SQL Server TDE.
Digital Rights Management (DRM): Protect copyright and license keys.

Clusters

High Availability: You can create a cluster with 1 to 28 HSMs. For high availability, you must place HSMs in different Availability Zones (AZs).
Load Balancing: Requests are automatically load-balanced across all HSMs in the cluster.
Instance Types: The legacy hsm1.medium is being deprecated. New clusters use hsm2m.medium.

Backups

Automated: CloudHSM performs periodic backups of the cluster (users, keys, policies).
Retention: Default retention is 90 days.
Security: Backups are encrypted with a unique, ephemeral key generated by the HSM itself. AWS cannot decrypt your backups.
Restoration: You can restore a cluster from a backup to a new cluster (e.g., for disaster recovery or cloning to another region).

HSM Users CloudHSM uses its own internal user management, distinct from AWS IAM.

Precrypto Officer (PRECO): A temporary user found on a newly provisioned HSM. Used solely to create the first Crypto Officer.
Crypto Officer (CO): Performs user management (creating/deleting users). Can change passwords but cannot perform cryptographic operations or use keys.
Crypto User (CU): Performs cryptographic operations (encrypt, decrypt, sign) and manages keys. This is the user your application uses.
Appliance User (AU): A system user used by AWS for synchronization and cloning. You cannot log in as the AU.

Quorum Authentication (M of N)

- Supports multi-factor authentication (MFA) logic where M number of approvers out of N total users must authorize a sensitive administrative action (e.g., deleting a cluster).

Keys

Session Keys: Ephemeral keys that exist only in memory while the application is connected. Faster performance but lost upon disconnection.
Token Keys: Persistent keys stored on the HSM’s hardware. Automatically synchronized to all HSMs in the cluster.

CLI Tools

Modern Tool (Client SDK 5)

CloudHSM CLI (cloudhsm-cli): The primary unified tool. It creates a shell-like interactive environment to manage both users (CO tasks) and keys (CU tasks).

Legacy Tools (Client SDK 3)

CloudHSM Management Utility (cloudhsm_mgmt_util / CMU): Used by Crypto Officers to manage users.
Key Management Utility (key_mgmt_util / KMU): Used by Crypto Users to manage keys.

AWS CloudTrail: Logs API calls made to the AWS CloudHSM service (e.g., CreateCluster, DeleteHsm, InitializeCluster).
Amazon CloudWatch Logs: Captures the HSM Audit Logs. This is the only place to see internal HSM activity, such as:
- User logins (CO/CU).
- Key generation/deletion events.
- Crypto operations (if enabled).
Client SDK Logging: Diagnostic logs from the client software running on your EC2 instances.

Key CloudWatch Metrics:

Hourly Fee: You are charged an hourly rate for each HSM you launch.
Note: If you have 2 HSMs for High Availability, you pay double the hourly rate.
No Upfront Cost: There is no termination fee, but you pay for the full hour if an instance is running for only part of it.
Backups: No charge for the backup storage service (stored in an S3 bucket owned by AWS).