Amazon CloudHSM key stores - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon CloudHSM key stores

An Amazon CloudHSM key store is a custom key store backed by a Amazon CloudHSM cluster. When you create an Amazon KMS key in a custom key store, Amazon KMS generates and stores non-extractable key material for the KMS key in an Amazon CloudHSM cluster that you own and manage. When you use a KMS key in a custom key store, the cryptographic operations are performed in the HSMs in the cluster. This feature combines the convenience and widespread integration of Amazon KMS with the added control of an Amazon CloudHSM cluster in your Amazon Web Services account.

Amazon KMS provides full console and API support for creating, using, and managing your custom key stores. You can use the KMS keys in your custom key store the same way that you use any KMS key. For example, you can use the KMS keys to generate data keys and encrypt data. You can also use the KMS keys in your custom key store with Amazon services that support customer managed keys.

Do I need a custom key store?

For most users, the default Amazon KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service.

However, you might consider creating a custom key store if your organization has any of the following requirements:

  • You have keys that are explicitly required to be protected in a single tenant HSM or in an HSM that you have direct control over.

  • You need the ability to immediately remove key material from Amazon KMS.

  • You need to be able to audit all use of your keys independently of Amazon KMS or Amazon CloudTrail.

How do custom key stores work?

Each custom key store is associated with an Amazon CloudHSM cluster in your Amazon Web Services account. When you connect the custom key store to its cluster, Amazon KMS creates the network infrastructure to support the connection. Then it logs into the key Amazon CloudHSM client in the cluster using the credentials of a dedicated crypto user in the cluster.

You create and manage your custom key stores in Amazon KMS and create and manage your HSM clusters in Amazon CloudHSM. When you create Amazon KMS keys in an Amazon KMS custom key store, you view and manage the KMS keys in Amazon KMS. But you can also view and manage their key material in Amazon CloudHSM, just as you would do for other keys in the cluster.

Managing KMS keys in a custom key store

You can create symmetric encryption KMS keys with key material generated by Amazon KMS in your custom key store. Then use the same techniques to view and manage the KMS keys in your custom key store that you use for KMS keys in the Amazon KMS key store. You can control access with IAM and key policies, create tags and aliases, enable and disable the KMS keys, and schedule key deletion. You can use the KMS keys for cryptographic operations and use them with Amazon services that integrate with Amazon KMS.

In addition, you have full control over the Amazon CloudHSM cluster, including creating and deleting HSMs and managing backups. You can use the Amazon CloudHSM client and supported software libraries to view, audit, and manage the key material for your KMS keys. While the custom key store is disconnected, Amazon KMS cannot access it, and users cannot use the KMS keys in the custom key store for cryptographic operations. This added layer of control makes custom key stores a powerful solution for organizations that require it.

Where do I start?

To create and manage an Amazon CloudHSM key store, you use features of Amazon KMS and Amazon CloudHSM.

  1. Start in Amazon CloudHSM. Create an active Amazon CloudHSM cluster or select an existing cluster. The cluster must have at least two active HSMs in different Availability Zones. Then create a dedicated crypto user (CU) account in that cluster for Amazon KMS.

  2. In Amazon KMS, create a custom key store that is associated with your selected Amazon CloudHSM cluster. Amazon KMS provides a complete management interface that lets you create, view, edit, and delete your custom key stores.

  3. When you're ready to use your custom key store, connect it to its associated Amazon CloudHSM cluster. Amazon KMS creates the network infrastructure that it needs to support the connection. It then logs in to the cluster using the dedicated crypto user account credentials so it can generate and manage key material in the cluster.

  4. Now, you can create symmetric encryption KMS keys in your custom key store. Just specify the custom key store when you create the KMS key.

If you get stuck at any point, you can find help in the Troubleshooting a custom key store topic. If your question is not answered, use the feedback link at the bottom of each page of this guide or post a question on the Amazon Key Management Service Discussion Forum.


Amazon KMS allows up to 10 custom key stores in each Amazon Web Services account and Region, including both Amazon CloudHSM key stores and external key stores, regardless of their connection state. In addition, there are Amazon KMS request quotas on the use of KMS keys in an Amazon CloudHSM key store.


For information on the cost of Amazon KMS custom key stores and customer managed keys in a custom key store, see Amazon Key Management Service pricing. For information about the cost of Amazon CloudHSM clusters and HSMs, see Amazon CloudHSM Pricing.


Amazon KMS supports Amazon CloudHSM key stores in all Amazon Web Services Regions where Amazon KMS is supported, except for Asia Pacific (Melbourne), China (Beijing), China (Ningxia), and Europe (Spain).

Unsupported features

Amazon KMS does not support the following features in custom key stores.