Amazon CloudHSM key stores - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudHSM key stores

An Amazon CloudHSM key store is a custom key store backed by a Amazon CloudHSM cluster. When you create an Amazon KMS key in a custom key store, Amazon KMS generates and stores non-extractable key material for the KMS key in an Amazon CloudHSM cluster that you own and manage. When you use a KMS key in a custom key store, the cryptographic operations are performed in the HSMs in the cluster. This feature combines the convenience and widespread integration of Amazon KMS with the added control of an Amazon CloudHSM cluster in your Amazon Web Services account.

Amazon KMS provides full console and API support for creating, using, and managing your custom key stores. You can use the KMS keys in your custom key store the same way that you use any KMS key. For example, you can use the KMS keys to generate data keys and encrypt data. You can also use the KMS keys in your custom key store with Amazon services that support customer managed keys.

Do I need a custom key store?

For most users, the default Amazon KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service.

However, you might consider creating a custom key store if your organization has any of the following requirements:

  • You have keys that are explicitly required to be protected in a single tenant HSM or in an HSM that you have direct control over.

  • You need the ability to immediately remove key material from Amazon KMS.

  • You need to be able to audit all use of your keys independently of Amazon KMS or Amazon CloudTrail.

How do custom key stores work?

Each custom key store is associated with an Amazon CloudHSM cluster in your Amazon Web Services account. When you connect the custom key store to its cluster, Amazon KMS creates the network infrastructure to support the connection. Then it logs into the key Amazon CloudHSM client in the cluster using the credentials of a dedicated crypto user in the cluster.

You create and manage your custom key stores in Amazon KMS and create and manage your HSM clusters in Amazon CloudHSM. When you create Amazon KMS keys in an Amazon KMS custom key store, you view and manage the KMS keys in Amazon KMS. But you can also view and manage their key material in Amazon CloudHSM, just as you would do for other keys in the cluster.

Managing KMS keys in a custom key store

You can create symmetric encryption KMS keys with key material generated by Amazon KMS in your custom key store. Then use the same techniques to view and manage the KMS keys in your custom key store that you use for KMS keys in the Amazon KMS key store. You can control access with IAM and key policies, create tags and aliases, enable and disable the KMS keys, and schedule key deletion. You can use the KMS keys for cryptographic operations and use them with Amazon services that integrate with Amazon KMS.

In addition, you have full control over the Amazon CloudHSM cluster, including creating and deleting HSMs and managing backups. You can use the Amazon CloudHSM client and supported software libraries to view, audit, and manage the key material for your KMS keys. While the custom key store is disconnected, Amazon KMS cannot access it, and users cannot use the KMS keys in the custom key store for cryptographic operations. This added layer of control makes custom key stores a powerful solution for organizations that require it.

Where do I start?

To create and manage an Amazon CloudHSM key store, you use features of Amazon KMS and Amazon CloudHSM.

  1. Start in Amazon CloudHSM. Create an active Amazon CloudHSM cluster or select an existing cluster. The cluster must have at least two active HSMs in different Availability Zones. Then create a dedicated crypto user (CU) account in that cluster for Amazon KMS.

  2. In Amazon KMS, create a custom key store that is associated with your selected Amazon CloudHSM cluster. Amazon KMS provides a complete management interface that lets you create, view, edit, and delete your custom key stores.

  3. When you're ready to use your custom key store, connect it to its associated Amazon CloudHSM cluster. Amazon KMS creates the network infrastructure that it needs to support the connection. It then logs in to the cluster using the dedicated crypto user account credentials so it can generate and manage key material in the cluster.

  4. Now, you can create symmetric encryption KMS keys in your custom key store. Just specify the custom key store when you create the KMS key.

If you get stuck at any point, you can find help in the Troubleshooting a custom key store topic. If your question is not answered, use the feedback link at the bottom of each page of this guide or post a question on the Amazon Key Management Service Discussion Forum.

Quotas

Amazon KMS allows up to 10 custom key stores in each Amazon Web Services account and Region, including both Amazon CloudHSM key stores and external key stores, regardless of their connection state. In addition, there are Amazon KMS request quotas on the use of KMS keys in an Amazon CloudHSM key store.

Pricing

For information on the cost of Amazon KMS custom key stores and customer managed keys in a custom key store, see Amazon Key Management Service pricing. For information about the cost of Amazon CloudHSM clusters and HSMs, see Amazon CloudHSM Pricing.

Regions

Amazon KMS supports Amazon CloudHSM key stores in all Amazon Web Services Regions where Amazon KMS is supported, except for Asia Pacific (Melbourne), China (Beijing), China (Ningxia), and Europe (Spain).

Unsupported features

Amazon KMS does not support the following features in custom key stores.

Amazon CloudHSM key store concepts

This topic explains some of the terms and concepts used in Amazon CloudHSM key stores.

Amazon CloudHSM key store

An Amazon CloudHSM key store is a custom key store associated with an Amazon CloudHSM cluster that you own and manage. Amazon CloudHSM clusters are backed by hardware security modules (HSMs) certified at FIPS 140-2 Level 3.

When you create a KMS key in your Amazon CloudHSM key store, Amazon KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated Amazon CloudHSM cluster. This key material never leaves your HSMs unencrypted. When you use a KMS key in an Amazon CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster.

Amazon CloudHSM key stores combine the convenient and comprehensive key management interface of Amazon KMS with the additional controls provided by an Amazon CloudHSM cluster in your Amazon Web Services account. This integrated feature lets you create, manage, and use KMS keys in Amazon KMS while maintaining full control of the HSMs that store their key material, including managing clusters, HSMs, and backups. You can use the Amazon KMS console and APIs to manage the Amazon CloudHSM key store and its KMS keys. You can also use the Amazon CloudHSM console, APIs, client software, and associated software libraries to manage the associated cluster.

You can view and manage your Amazon CloudHSM key store, edit its properties, and connect and disconnect it from its associated Amazon CloudHSM cluster. If you need to delete an Amazon CloudHSM key store, you must first delete the KMS keys in the Amazon CloudHSM key store by scheduling their deletion and waiting until the grace period expires. Deleting the Amazon CloudHSM key store removes the resource from Amazon KMS, but it does not affect your Amazon CloudHSM cluster.

Amazon CloudHSM cluster

Every Amazon CloudHSM key store is associated with one Amazon CloudHSM cluster. When you create an Amazon KMS key in your Amazon CloudHSM key store, Amazon KMS creates its key material in the associated cluster. When you use a KMS key in your Amazon CloudHSM key store, the cryptographic operation is performed in the associated cluster.

Each Amazon CloudHSM cluster can be associated with only one Amazon CloudHSM key store. The cluster that you choose cannot be associated with another Amazon CloudHSM key store or share a backup history with a cluster that is associated with another Amazon CloudHSM key store. The cluster must be initialized and active, and it must be in the same Amazon Web Services account and Region as the Amazon CloudHSM key store. You can create a new cluster or use an existing one. Amazon KMS does not need exclusive use of the cluster. To create KMS keys in the Amazon CloudHSM key store, its associated cluster it must contain at least two active HSMs. All other operations require only one HSM.

You specify the Amazon CloudHSM cluster when you create the Amazon CloudHSM key store, and you cannot change it. However, you can substitute any cluster that shares a backup history with the original cluster. This lets you delete the cluster, if necessary, and replace it with a cluster created from one of its backups. You retain full control of the associated Amazon CloudHSM cluster so you can manage users and keys, create and delete HSMs, and use and manage backups.

When you are ready to use your Amazon CloudHSM key store, you connect it to its associated Amazon CloudHSM cluster. You can connect and disconnect your custom key store at any time. When a custom key store is connected, you can create and use its KMS keys. When it is disconnected, you can view and manage the Amazon CloudHSM key store and its KMS keys. But you cannot create new KMS keys or use the KMS keys in the Amazon CloudHSM key store for cryptographic operations.

kmsuser Crypto user

To create and manage key material in the associated Amazon CloudHSM cluster on your behalf, Amazon KMS uses a dedicated Amazon CloudHSM crypto user (CU) in the cluster named kmsuser. The kmsuser CU is a standard CU account that is automatically synchronized to all HSMs in the cluster and is saved in cluster backups.

Before you create your Amazon CloudHSM key store, you create a kmsuser CU account in your Amazon CloudHSM cluster using the user create command in CloudHSM CLI. Then when you create the Amazon CloudHSM key store, you provide the kmsuser account password to Amazon KMS. When you connect the custom key store, Amazon KMS logs into the cluster as the kmsuser CU and rotates its password. Amazon KMS encrypts your kmsuser password before it stores it securely. When the password is rotated, the new password is encrypted and stored in the same way.

Amazon KMS remains logged in as kmsuser as long as the Amazon CloudHSM key store is connected. You should not use this CU account for other purposes. However, you retain ultimate control of the kmsuser CU account. At any time, you can find the keys that kmsuser owns. If necessary, you can disconnect the custom key store, change the kmsuser password, log into the cluster as kmsuser, and view and manage the keys that kmsuser owns.

For instructions on creating your kmsuser CU account, see Create the kmsuser Crypto User.

KMS keys in an Amazon CloudHSM key store

You can use the Amazon KMS or Amazon KMS API to create a Amazon KMS keys in an Amazon CloudHSM key store. You use the same technique that you would use on any KMS key. The only difference is that you must identify the Amazon CloudHSM key store and specify that the origin of the key material is the Amazon CloudHSM cluster.

When you create a KMS key in an Amazon CloudHSM key store, Amazon KMS creates the KMS key in Amazon KMS and it generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key material in its associated cluster. When you use the Amazon KMS key in a cryptographic operation, the operation is performed in the Amazon CloudHSM cluster using the cluster-based AES key. Although Amazon CloudHSM supports symmetric and asymmetric keys of different types, Amazon CloudHSM key stores support only AES symmetric encryption keys.

You can view the KMS keys in an Amazon CloudHSM key store in the Amazon KMS console, and use the console options to display the custom key store ID. You can also use the DescribeKey operation to find the Amazon CloudHSM key store ID and Amazon CloudHSM cluster ID.

The KMS keys in an Amazon CloudHSM key store work just like any KMS keys in Amazon KMS. Authorized users need the same permissions to use and manage the KMS keys. You use the same console procedures and API operations to view and manage the KMS keys in an Amazon CloudHSM key store. These include enabling and disabling KMS keys, creating and using tags and aliases, and setting and changing IAM and key policies. You can use the KMS keys in an Amazon CloudHSM key store for cryptographic operations, and use them with integrated Amazon services that support the use of customer managed keys However, you cannot enable automatic key rotation or import key material into a KMS key in an Amazon CloudHSM key store.

You also use the same process to schedule deletion of a KMS key in an Amazon CloudHSM key store. After the waiting period expires, Amazon KMS deletes the KMS key from KMS. Then it makes a best effort to delete the key material for the KMS key from the associated Amazon CloudHSM cluster. However, you might need to manually delete the orphaned key material from the cluster and its backups.