Understanding AWS CloudHSM Architecture & Implementation
Start course

HSM stands for Hardware Security Module, but what is a hardware security module? It’s a physical tamper-resistant hardware appliance that is used to protect and safeguard cryptographic material and encryption keys.

The AWS CloudHSM service provides HSMs that are validated to Federal Information Processing Standards (FIPS) 140-2 Level 3, which is often required if you are going to be using your CloudHSM for document signing or if you intend to operate a public certificate authority for SSL certificates.

Learning Objectives

The objectives of this course are to explain:

  • What AWS CloudHSM is and does
  • The architecture of CloudHSM and its implementation
  • Access Control of your HSM Cluster
  • How to use CloudHSM as a custom key store in KMS, the Key Management Service
  • Monitoring and Logging

Intended Audience

This course is intended for anyone who is:

  • Responsible for protecting data stored within AWS
  • Looking to utilize a managed service to help perform cryptographic operations
  • Preparing for an AWS certification that requires you to have knowledge of securing data


To get the most out of this course, you should have a basic awareness of the fundamentals of AWS and some of its core services, such as VPC architecture. Some basic cryptography knowledge would also be beneficial, but not essential.



Hello and welcome to this lecture where I want to provide an overview of the architecture of CloudHSM and the general steps of implementation to help you understand its deployment.  

Let me start with the CloudHSM Cluster.  When you implement CloudHSM, you will begin by creating a cluster.  This cluster is simply a grouping of different HSMs which will act as a single unit when configured and deployed.  Having multiple HSMs provides an element of high availability as you are able to select multiple different subnets, one from each availability zone that your VPC operates in, to deploy an HSM into.  Any requests to your CloudHSM cluster are then automatically load-balanced between the HSMs in the cluster, and if one HSM fails, AWS will automatically deploy another one within your cluster.  As a result, running a VPC is a prerequisite of implementing your cluster.

During the deployment of your HSMs, it’s actually an Elastic Network Interface (ENI) that is placed within the subnet that you select of your VPC.  The HSM itself actually resides in a different AWS-owned VPC, and located in the same AZ as you select during its deployment.  So it’s the ENI that is deployed in your VPC which acts as an interface between your network and the HSM residing in an AWS-owned VPC.

When you create the cluster, CloudHSM will do 2 things. Firstly, a new service-linked role will be created ‘AWSServiceRoleForCloudHSM’ which gives CloudHSM the permission to send log data to CloudWatch Logs log groups and log streams on your behalf. For those familiar with IAM policies, the policy looks as shown.

Secondly, CloudHSM will also create a new security group for the cluster (cloudhsm-cluster-clusterID-sg). This is an important security group as it controls which resources can communicate with the HSMs.  The security group itself will allow both inbound and outbound connectivity over TCP ports 2223-2225, which enables each of your HSMs within your cluster to communicate with each other.  When this security group is created by CloudHSM, no other resources are associated with it. 


Once your cluster has been defined and created in the different subnets and availability zones that you have selected, it will have been provisioned in an ‘uninitialized state’. From this point, you can create your HSMs in each availability zone that you selected and ‘initialize’ the cluster.  As this is a beginner course, I will not dive into this initialization process, however, if you would like a detailed technical understanding of how to perform this step, please refer to the AWS documentation here.

When your cluster is initialized you can then connect to your cluster HSM network interfaces, and one of the easiest ways to do this is via an EC2 instance provisioned in the same VPC. There are 2 steps which must be carried out for your EC2 instances to interact with the HSMs. Firstly, you must configure a security group. And secondly, you need to install the AWS CloudHSM client software on your instance.

So, firstly, the security group.  You must add your instance to the cloudhsm-cluster-clusterID-sg security group.  As we already know, this security group allows your HSMs to communicate with each other, but this same security group is also used to define which EC2 instances can communicate with your CloudHSMs, which must be manually added to the security group.  If you want to connect to your CloudHSM using a Windows EC2 instance then you must add a rule to this SG using RDP with port 3389, if using a Linux instance then you must select SSH using port 22.

Next, you must install the client and command-line tools.  To do this, connect to your instance that you added to the security group as I just mentioned. 

If using a Linux instance, then you need to run a command, and this command will be different depending on the OS you are running.  For a list of commands relating to the following OS’s please refer to this AWS resource.

Once you have installed the client and tools, you need to modify the client configuration to enable you to connect to your cluster.  Firstly you need to copy your issuing certificate (created when you initialize your cluster) to /opt/cloudhsm/etc/customerCA.crt

You must also run the following command, replacing the red text with your HSMs IP address 

sudo /opt/cloudhsm/bin/configure -a <IP address>

If you are using a Windows instance, then you will need to download the installation from here.

After running the MSI file, you will need to copy the self-signed issuing certificate to the following.

And then finally, you need to run the following command to configure the client software replacing the text in red with your own HSM details.

C:\Program Files\Amazon\CloudHSM\configure.exe -a <HSM IP address>

So let’s take a quick logical look at how the infrastructure would look like at this stage.

So as you can see, we have the customer VPC split across 3 different availability zones and subnets, each with an EC2 client containing the HSM client software and an HSM ENI. Each EC2 client can communicate with ANY of the HSM ENI across the different subnets within the cluster using the cloudhsm-cluster security group.  These ENIs then communicate with the HSMs located in an AWS-owned VPC.

We also have the IAM role that has been created allowing HSM to send log data to CloudWatch Logs log groups and log streams on your behalf.  

Once your infrastructure is in place and you have configured your CloudHSM connectivity, you simply need to activate your HSM cluster before use.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.