Integration with KMS

One of the most compelling features of CloudHSM is its seamless integration with KMS, which allows you to create a custom key store backed by your CloudHSM cluster. This integration enables you to use KMS APIs for cryptographic operations while ensuring that the actual cryptographic material is generated and stored in CloudHSM. This is a powerful combination that brings together the ease of use of KMS with the robust security features of CloudHSM.

To integrate CloudHSM with KMS, you will need to create a CloudHSM cluster and then initialize at least one HSM instance within that cluster. Once the cluster is active, you can create a custom key store in KMS and associate it with your CloudHSM cluster. This process involves specifying the cluster ID and providing credentials for an HSM user that has sufficient permissions to manage keys.

Use cases

Understanding when to leverage CloudHSM over KMS is crucial. Some primary use cases are as follows:

• Regulatory compliance: For organizations that are subject to rigorous compliance requirements, CloudHSM provides a level of security that is often mandated by regulatory bodies. For example, financial institutions dealing with the Payment Card Industry Data Security Standard (PCI DSS) or healthcare organizations subject to the Health Insurance Portability and Accountability Act (HIPAA) can benefit from the dedicated and tamper-evident hardware provided by CloudHSM.
• High-value transactions: In scenarios where extremely sensitive data is being transmitted, such as high-value financial transactions or confidential government communications, the additional security layer provided by CloudHSM can be invaluable. The dedicated, single-tenant environment ensures that cryptographic operations are isolated, reducing the risk of unauthorized access or data leakage.
• Root of trust: Organizations that require a root of trust that is entirely under their control can use CloudHSM to generate and store root keys. These keys can then be used to derive other keys for various purposes, ensuring a secure key hierarchy that is isolated from multi-tenant environments.
• Secure key export and import: CloudHSM allows for secure key export and import using mechanisms such as PKCS#11, Java Cryptography Extensions (JCE), and Microsoft’s Cryptographic API Next Generation (CNG). This is particularly useful for organizations that have hybrid cloud or multi-cloud architectures and need to move keys securely between different environments.