What is CloudHSM?
What is CloudHSM?
2h 58m

In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Security services currently available in AWS that are relevant to the PAS-C01 exam.

Learning Objectives

  • Understand the purpose of AWS user and identity management
  • Identify resources and capabilities for AWS network security
  • Understand how to evaluate the security of an AWS environment
  • Describe AWS services used to create a comprehensive security solution for SAP deployments


The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Security services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


Hello and welcome to this lecture where I shall provide you with a foundational view of the AWS CloudHSM service.

Firstly, what does the HSM stand for? Well HSM stands for Hardware Security Module, but what is a hardware security module? It’s a physical tamper-resistant hardware appliance that is used to protect and safeguard cryptographic material and encryption keys.

The AWS CloudHSM service provides HSMs that are validated to Federal Information Processing Standards (FIPS) 140-2 Level 3, which is often required if you are going to be using your CloudHSM for document signing or if you intend to operate a public certificate authority for SSL certificates.

As I mentioned, CloudHSM is a physical device, and it’s important to note that this device is not shared with any other customer, so it’s NOT a multi-tenant device. It is a dedicated single-tenant appliance exclusively made available to you, for your own workloads.  The fact that the HSM is based upon single tenancy should not be surprising bearing in mind how sensitive the information is that it contains.

CloudHSM is an enterprise-class service used for secure encryption key management and storage which can be used as a root of trust for an enterprise when it comes to data protection allowing you to deploy secure and compliant workloads within AWS.

There are a number of different operations that CloudHSM can help you provide, these include:

  • The creation, storage and management of cryptographic keys, allowing you to import and export both asymmetric and symmetric keys.
  • The ability to use cryptographic hash functions to enable you to compute message digests and hash-based message authentication codes, otherwise known as HMACs.
  • Cryptographic data signing and signature verification.
  • Using both asymmetric and symmetric encryption algorithms.
  • And the ability to generate cryptographically secure random data.

I just mentioned both symmetric and asymmetric encryption keys, and I feel like I should quickly explain the difference between the two.

Asymmetric encryption involves two separate keys. One is used to encrypt the data and a separate key is used to decrypt the data. These keys are created both at the same time and are linked through a mathematical algorithm. One key is considered the private key and should be kept by a single party and should never be shared with anyone else. The other key is considered the public key and this key can be given and shared with anyone. It doesn't matter who has access to this public key as without the private key, any data encrypted with it cannot be accessed. 

Both the private and public keys are required to decrypt the data when asymmetric encryption is being used. So how does it work? 

If another party wanted to send you an encrypted message or data, they would encrypt the message using your own public key which can be made freely available to them or anyone. The message is then sent to you where you will use your own private key which has that mathematical relationship with your public key to decrypt the data. This allows you to send encrypted data to anyone without the risk of exposing your private key.

Some common examples of asymmetric cryptography algorithms are RSA, Diffie-Hellman, and Digital Signature Algorithm. 

With symmetric encryption, a single key is used to both encrypt and also decrypt the data. So for example if someone was using a symmetric encryption method, they would encrypt the data with a key and then when that same person needed to access that data, they would use the same key that they used to encrypt the data to decrypt the data. As a result, this key must be sent securely between the two parties and here it exposes a weakness in this method. If the key is intercepted by anyone during that transmission, then that third party could easily decrypt any data associated with that key. 

Some common symmetric cryptography algorithms that are used are AES which is Advanced Encryption Standard, DES, Digital Encryption Standard, Triple DES and Blowfish. 

AWS CloudHSM is not the only encryption service available with AWS, you may have also heard of the Key Management Service, known as KMS.  KMS is a managed service used to store and generate encryption keys that can be used by other AWS services and applications to encrypt your data.  Much like CloudHSM, KMS uses HSMs, but with KMS, these are managed by AWS, as a result you have less management control of the keys and key material.  Later in this course, I shall explain the integrations that exist between the 2 services.

For more information on KMS, please see our existing course here.


About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.