1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Getting started with AWS CloudHSM

Introduction to CloudHSM


What is CloudHSM?

The course is part of these learning paths

Solutions Architect – Professional Certification Preparation for AWS
course-steps 48 certification 6 lab-steps 19 quiz-steps 4 description 2
Security - Specialty Certification Preparation for AWS
course-steps 23 certification 2 lab-steps 12 quiz-steps 5
AWS Security Services
course-steps 9 certification 2 lab-steps 4
AWS Access & Key Management Security
course-steps 6 certification 2 lab-steps 2 quiz-steps 2
more_horiz See 1 more
Introduction to CloudHSM
star star star star star-border


AWS CloudHSM is the name of Amazon’s original encryption key solution. HSM stands for Hardware Security Module and in the solution provided by AWS, it is a Safenet Luna appliance hosted at AWS. The appliance is single tenant and exclusive to each customer. AWS only manages the hardware and base operation but does not manage the keys or even have the ability to access the key management system within the HSM.

Intended Audience:

  • Anyone that needs to know more about the Amazon Hardware Security Module branded CloudHSM that is provided as a dedicated hardware appliance.
  • Anyone preparing for an Amazon Certifications as well as security officers that have a responsibility to ensure data is protected in an environment at Amazon Web Services.


  • Due to the advanced nature of the CloudHSM topic, this course is not designed to be your first course about Amazon Web Services. 
  • It is a very good idea to complete the Key Management Service course if you are trying to make a decision between the two encryption offerings.

Learning Objectives:

  • To teach you the basics of AWS CloudHSM
  • What it will cost to implement
  • Comparison of KMS to AWS CloudHSM
  • How to implement a key and encrypt data
  • Which services can be used with CloudHSM
  • Why you might use AWS CloudHSM
  • Other uses for AWS CloudHSM

What you'll learn:

  • CloudHSM Basics: An overview of CloudHSM basics, along with terminally, and use cases.
  • What is CloudHSM: In this very detailed lesson, the presentation includes information about performance, scalability, availability, costs, and best practices.
  • CloudHSM Operations: How to set-up the HSM controller as well as how to provision and de-provision HSM.


Hello and welcome to Cloud Academy's course on AWS CloudHSM. This is a course that will cover the Amazon Hardware Security Module based on dedicated SafeNet Luna hardware appliance. This course is designed to provide you the knowledge to understand what CloudHSM is, how you can us CloudHSM to encrypt your information stored at AWS, and what are some of the major features and functions of CloudHSM.

In this course, we will give you the information necessary to understand how to use CloudHSM to encrypt your data. Before we get too far along, let me tell you a little about myself. My name is Tom Lynch, and I will be your instructor for this course. I have been in the IT industry for over 30 years. I first began working in virtualized environments in 1996, that was an IBM mainframe, so it was similar, but different. I have been an active AWS consultant since late 2012, and earned my Solution Architect Associate in March of 2013, followed by my AWS Solution Architect Professional Certification in November of 2015. Now back to the course on CloudHSM.

Let's discuss who can benefit from this course, anyone that needs to know more about Amazon's Hardware Security Module, branded CloudHSM, is provided as a dedicated hardware appliance. This is typically anyone preparing for an Amazon certification, as well as security officers that have a responsibility to ensure data's protected in an environment, and Amazon web services.

Additionally, if you are look to get an understanding of what is the difference between CloudHSM offering and Key Management Service, you will gain that knowledge in this course. Due to the advanced nature of CloudHSM topic, this course is not designed to be your first course about Amazon web services. It is a very good idea to complete the Key Management Service course if you are trying to make a decision between the two encryption offerings. I will get into some of the details on how CloudHSM does encryption.

Since this is a dedicated appliance, if you want a deep dive on how the appliance does encrypts, please read up on the SafeNet Luna manual. Now, some of the details on what will be covered in this course. The topics covered in this course are, what is CloudHSM? CloudHSM's design features, integration with Amazon web services, CloudHSM monitoring, CloudHSM versus KMS, provisioning a CloudHSM, and CloudHSM costs. And we'll cover how the CloudHSM device works to protect your crypto keys, I will cover how to monitor the CloudHSM appliance, and how to leverage Cloud Shield to ensure encryption is used.

I will cover some of the advantages to using a hardware appliance instead of a software appliance, I will also cover some of the limitations to using CloudHSM that you need to take into consideration when making the decision to use the hardware appliance. I will get into the details on how you go about provisioning CloudHSM, I will give you an example of charges you will incur to launch a CloudHSM appliance, and what is the expected cost to run the appliance. If you're planning to implement encryption with CloudHSM, you should have a good working knowledge of the services you plane to use with CloudHSM. Amazon we services has lots to offer, and typically can meet all your needs. This flexibility adds to some of the complexity. First, become familiar with the services you plan to use prior to adding CloudHSM encryption. It is highly recommend to complete the Key Management Service course. The other encryption key solution from Amazon prior to the CloudHSM course.

If you are only interested in what encryption and key management options are available to AWS, this and KMS course are good places to start. If you need an implements encryptions solutions and create a solution, that stores data at rest, encrypted, you really need to have some experience with AWS, and have hands on experience with the services you plan to use that will require encryption.

There are a few terms and abbreviations that you should be familiar with, related to CloudHSM and encryption in general. HSM, Hardware Security Module. IAM, Identity and Access Management. AES, Advanced Encryption Standard. KMI, Key Management Infrastructure. PKCS, Public Key Cryptography Standards. FIPS, also commonly called FIPS. Federal Information Processing Standard

About the Author

Tom an active AWS Consultant creating and deploying AWS solutions for over five years. He has worked on numerous projects that involve everything from small lean startups on a tight budget to massive commercial Enterprises that have large-scale budgets with large-scale requirements that must be met even no matter the cost. Tom has worked for several of our United States government agencies taking the agencies to the cloud by migrating solutions from on-premise data centers to the AWS cloud in a secure solution while reducing their overall cost to operate and maintain the solution.

Personally Tom spends his available time riding his bicycle, sampling a good wine or two, enjoying a good meal and watching Formula One races.