AWS CloudHSM is a security service that offers isolated hardware security module (HSM) appliances to give customers an extra level of protection for data with strict corporate, contractual and regulatory compliance requirements. The AWS CloudHSM service provides single-tenant access to each HSM within an Amazon Virtual Private Cloud (VPC). AWS bills for the service upfront for each instance, plus an hourly fee until the administrator terminates the instance.
AWS CloudHSM uses SafeNet Luna SA 7000 HSM appliances, which contain both tamper detection and response mechanisms to protect encryption keys. After three unsuccessful attempts to access an HSM partition with HSM administrator credentials, the appliance erases its partitions. It can also stop and restart after 10 minutes in the event of tampering attempt. The service supports two software and firmware options from SafeNet: 5.1.5/6.2.1 -- which is validated by Federal Information Processing Standard (FIPS) and 5.3.5/6.10.2, a FIPS candidate. The administrator is responsible for maintaining firmware and software.
Administrators provision CloudHSM instances through the AWS software development kit, application programming interface (API) or the CloudHSM command-line interface. They start by first creating cryptographic partitions on the appliance. Each partition is a logical and physical boundary within the HSM that limits access to encryption keys. AWS maintains administrative credentials to manage the HSM appliance, but cannot access the partitions or keys on the appliance. After creating a partition, the administrator enables applications to use APIs provided by the HSM appliance.
An administrator can establish connectivity from an application to the HSM by operating an application in the same VPC, with VPC peering -- a connection using private IP addresses -- or with a virtual private network (VPN) connection. AWS CloudHSM also works with on-premises HSM devices, as long as they match the software and firmware versions of cloud HSMs. An administrator can connect local HSMs to the cloud through VPC functionality or AWS Direct Connect and monitor logs for the HSM appliance in syslog. AWS CloudTrail also allows an administrator to record all API calls made with the CloudHSM service.