• A computing device that enables you to provision and manage your own single-tenant HSMs for the generation and use of encryption keys.

  • A hardware security module (HSM) performs cryptographic operations and provides secure storage for cryptographic keys.

  • You can perform the following cryptographic tasks:

    • Generate, store, import, export, and manage cryptographic keys.

    • Use symmetric and asymmetric algorithms to encrypt and decrypt your data.

    • Compute message digests and hash-based message authentication codes using cryptographic hash functions.

    • Cryptographically sign data and verify signatures.

    • You can generate cryptographically secure random data.

Tutorials dojo strip

Use Case

  • Offload SSL/TLS processing for web servers.

  • Protect private keys for an issuing certificate authority (CA).

  • Enable transparent data encryption (TDE) for Oracle databases.


  • Clusters

    • A collection of individual HSMs.

    • Other HSMs are automatically kept up to date, when you perform a task on one HSM in a cluster.

    • You can create a cluster that has 1 to 28 HSM and place the HSMs in different AZs in a region.

    • Cluster provides higher performance as you add more HSMs.

    • When you add a new HSM to a cluster:

      • AWS CloudHSM backup all the keys, users, and policies on an existing HSM.

      • Restores the backup onto the new HSM to keep HSMs in sync.

    • Supports cluster load balancing.

  • Backups

    • You can do periodic backups of users, keys, and policies in your cluster.

    • Backups are stored in an S3 bucket in the same region as your cluster.

    • Default backup retention policy for a cluster is 90 days.

    • You can only restore backups onto AWS-owned HSMs made by the same manufacturer.

    • Supports copying of backups across AWS regions.

    • The HSM encrypts all data using ephemeral backup key (EBK) before sending it to CloudHSM.

    • To encrypt the EBK, the HSM will use a persistent backup key (PBK).

    • Generate a PBK with a key derivation function (KDF). The inputs to the KDF include the following:

      • Manufacturer key backup key (MKBK)

      • AWS key backup key (AKBK)

  • HSM users

    • HSM users are distinct from IAM users.

    • To create and manage users on HSM, you need a CloudHSM Management Utility (CMU).

    • An HSM user has a type that defines which operations they can perform on HSM.

      • Precrypto officer (PRECO) – temporary user on the first HSM in a cluster.

      • Crypto officer (CO | PCO) – performs user management operations and supports 2FA.

      • Crypto user (CU) – performs key management and cryptographic operations.

      • Appliance user (AU) – performs cloning and synchronization operations.

    • Supports quorum authentication.

  • Keys

    • Only a CU can create a key in CloudHSM.

    • You can use the following to manage keys on HSM:

      • PKCS #11 library

      • JCE provider

      • CNG and KSP providers

      • key_mgmt_util

    • Use syncKey command in CMU to synchronize keys between clusters.

  • CLI tools

    • CloudHSM Management Utility (CMU)

      • The cloudhsm_mgmt_util helps COs manage users in HSMs.

      • It also has a command that allows CUs to share keys, get and set key attributes.

    • Key Management Utility (KMU)

      • A key_mgmt_util allows CUs to manage keys on HSMs.

  • Supports tagging of CloudHSM resources.


  • To monitor diagnostic and troubleshooting information from applications you create, use Client SDK logging.

  • If you want to monitor API calls like creation & deletion of clusters, HSM, and resource tags, use AWS CloudTrail.

  • With Amazon CloudWatch, you can monitor the following:

    • Health of cluster

    • Logs from HSM instances


  • You are charged per hour for each HSM you launch.


Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?