Amazon Web Services Launches CloudHSM, A Dedicated Hardware Security Appliance For Managing Cryptographic Keys

Amazon just announced the launch of CloudHSM, a new service that provides Amazon Web Services users who need to meet corporate, contractual and regulatory compliance requirements for data security a way to do so by using a dedicated Hardware Security Module (the ‘HSM’ in CloudHSM) within the Amazon cloud. Until now, Amazon argues, the only option for many companies that use its cloud services was to store their most sensitive data – or the encryption keys to it – in their own on-premise data centers. This, of course, made it hard for these companies to fully migrate their applications to the cloud.

The new service, Amazon writes, can be used to support “a variety of use cases and applications, such as database encryption, Digital Rights Management (DRM), and Public Key Infrastructure (PKI) including authentication and authorization, document signing, and transaction processing.” The actual appliances are Luna SA modules from SafeNet, Inc.

The new CloudHSM service uses Amazon’s Virtual Private Cloud (VPC) and the appliances are provisioned inside the user’s VPC with an IP address the user specifies. The service, Amazon says, provides businesses with secure key storage and protects these keys with “tamper-resistant HSM appliances that are designed to comply with international (Common Criteria EAL4+) and U.S. Government (NIST FIPS 140-2) regulatory standards for cryptographic modules.”


Because the HSMs are located close to the user’s EC2 cloud computing instances, network latency should be very low.

All of this, however, doesn’t come cheap. The upfront cost to provision a CloudHSM is $5,000 and the hourly cost are $1.88 per hour, which comes out to $1,373 on average per month. For businesses that need this kind of security, that’s probably a small price to pay, but this is clearly not a service that’s geared toward startups that just want to ensure their encryption keys and data are stored safely. The HSM client software can load balance requests across two or more CloudHSMs, though Amazon notes that it can take “several weeks” to provision more than two HSMs.