AWS CloudHSM: Why You’ll Want It and What to Watch Out For

You’ve reached an archived blog post that may be out of date. Please visit the blog homepage for the most current posts.

Security has been one of the top challenges in every survey on cloud computing in the last five years. Yet public cloud providers have continued to beef up their security offerings, and not everyone realizes how far providers have come in providing tools that enable customers to follow security best practices. This week AWS took a giant step forward to address a major cloud security challenge with the release of CloudHSM, a cloud-based hardware security module. This game-changing appliance empowers public cloud users to easily implement a level of cryptographic security formerly available only to those using private clouds or hosted environments.

CloudHSM has the potential to appeal not only to large enterprise shops but also to small and midsize businesses, and not only to AWS cloud customers but also potentially to customers of other cloud providers, who can store their cryptographic keys on AWS CloudHSM for data that is hosted in a different public cloud. CloudHSM offers exciting potential, so I wanted to share the important details, along with six caveats to consider as you think about CloudHSM.

Simply put, AWS CloudHSM is a service that can securely generate, store, and manage cryptographic keys. Until now there was no really good way to use and manage cryptographic keys in the public cloud itself. If you wanted to have a high degree of confidence in your key management, you needed to do it outside of the public cloud. With CloudHSM, you can now do proper key management completely within the public cloud.

CloudHSM offers secure key management and use to everyone who uses the public cloud – literally everyone, not just AWS customers, because CloudHSM can store cryptographic keys and encrypt and decrypt data for any and all cloud services. Combining CloudHSM with the RightScale multi-cloud management platform can provide many of the critical enablers for your security and compliance efforts.

RightScale customers who have been searching for a way to get secure cryptographic keys should jump on CloudHSM. If you need to store PCI, HIPAA, financial, or other sensitive data locally on a public cloud instance, now you have a simple way to get easy access to keys that make that much more feasible.

A Few Caveats

While the potential of CloudHSM is exciting, there are some caveats:

1. CloudHSM is part of a virtual private cloud environment, so if you want to use CloudHSM and you are not using VPC, you need to start doing so.

2. Most applications are likely not designed to use an HSM in general, so organizations will need to design an architecture to accommodate it. The API is a C, Java, or .NET library that developers must incorporate into application components. CloudHSM is unlike many of AWS’ other offerings in that it does not offer a high-level, platform-agnostic interface; this is very much a “some assembly required” service.

3. Good key management practices do not exempt an application from using good crypto practices; HSM must be combined with constraints on who is authorized to use the HSM and how the application protects the keys it receives from the HSM. And outsourcing key management and cryptographic operations to a certified hardware appliance does not guarantee that the application architecture meets security or availability requirements. Most security vulnerabilities in networked applications stem from failures of input validation or error handling, and even properly implemented crypto can be misused.

4. The SafeNet Luna SA appliance AWS uses for CloudHSM has earned FIPS 140-2 certification for its crypto module, and AWS requires HSM users to install a SafeNet-provided library that allows apps to talk to the HSM, but AWS has not announced any third-party certification of its processes, so currently you need to trust AWS to be doing the right thing. I don’t have a problem with this situation, as I expect Amazon will get third-party attestation, and I already trust it with critical parts of my infrastructure.

5. CloudHSM is available only in US East or EU (Ireland) today. Per the AWS FAQ, if you want a CloudHSM in another region, you need to contact AWS.

6. This is a new service, and as such it will have some kinks to work out. The biggest one in my mind is about service-level agreements and the availability of the service. Per the AWS FAQ, “there is no SLA for CloudHSM.” I would not pass over this too lightly. Customers can set up redundancy by using different availability zones, but remember the region restrictions.


Part of RightScale’s role is helping customers design secure applications that run in public clouds. That mission includes making sure cloud deployments comply with regulatory and security standards. We can help both AWS customers and users of other clouds improve security and meet PCI, HIPAA, and other compliance requirements by incorporating CloudHSM into their architecture. I recommend that businesses investigate how easy it is to use the CloudHSM service to meet data security requirements, and I’ll be taking my own advice. I plan to look at how RightScale can leverage the service in our own SaaS-based cloud management solution.