KMS keys in a CloudHSM key store
You can create, view, manage, use, and schedule deletion of the Amazon KMS keys in an Amazon CloudHSM key store. The procedures that you use are very similar to those you use for other KMS keys. The only difference is that you specify an Amazon CloudHSM key store when you create the KMS key. Then, Amazon KMS creates non-extractable key material for the KMS key in the Amazon CloudHSM cluster that is associated with the Amazon CloudHSM key store. When you use a KMS key in an Amazon CloudHSM key store, the cryptographic operations are performed in the HSMs in the cluster.
- Supported features
-
In addition to the procedures discussed in this section, you can do the following with KMS keys in an Amazon CloudHSM key store:
-
Use key policies, IAM policies, and grants to authorize access to the KMS keys.
-
Enable and disable the KMS keys.
-
Assign tags and create aliases, and use attribute-based access control (ABAC) to authorize access to the KMS keys.
-
Use the KMS keys to perform the following cryptographic operations:
The operations that generate asymmetric data key pairs, GenerateDataKeyPair and GenerateDataKeyPairWithoutPlaintext, are not supported in custom key stores.
-
Use the KMS keys with Amazon services that integrate with Amazon KMS and support customer managed keys.
-
Track use of your KMS keys in Amazon CloudTrail logs and Amazon CloudWatch monitoring tools.
-
- Unsupported features
-
-
Amazon CloudHSM key stores support only symmetric encryption KMS keys. You cannot create HMAC KMS keys, asymmetric KMS keys, or asymmetric data key pairs in an Amazon CloudHSM key store.
-
You cannot import key material into a KMS key in an Amazon CloudHSM key store. Amazon KMS generates the key material for the KMS key in the Amazon CloudHSM cluster.
-
You cannot enable or disable automatic rotation of the key material for a KMS key in an Amazon CloudHSM key store.
-
- Using KMS keys in an Amazon CloudHSM key store
-
When you use your KMS key in a request, identify the KMS key by its ID or alias; you do not need to specify the Amazon CloudHSM key store or Amazon CloudHSM cluster. The response includes the same fields that are returned for any symmetric encryption KMS key.
However, when you use a KMS key in an Amazon CloudHSM key store, the cryptographic operation is performed entirely within the Amazon CloudHSM cluster that is associated with the Amazon CloudHSM key store. The operation uses the key material in the cluster that is associated with the KMS key that you chose.
To make this possible, the following conditions are required.
-
The key state of the KMS key must be
Enabled
. To find the key state, use the Status field in the Amazon KMS console or theKeyState
field in the DescribeKey response. -
The Amazon CloudHSM key store must be connected to its Amazon CloudHSM cluster. Its Status in the Amazon KMS console or
ConnectionState
in the DescribeCustomKeyStores response must beCONNECTED
. -
The Amazon CloudHSM cluster that is associated with the custom key store must contain at least one active HSM. To find the number of active HSMs in the cluster, use the Amazon KMS console, the Amazon CloudHSM console, or the DescribeClusters operation.
-
The Amazon CloudHSM cluster must contain the key material for the KMS key. If the key material was deleted from the cluster, or an HSM was created from a backup that did not include the key material, the cryptographic operation will fail.
If these conditions are not met, the cryptographic operation fails, and Amazon KMS returns a
KMSInvalidStateException
exception. Typically, you just need to reconnect the Amazon CloudHSM key store. For additional help, see How to fix a failing KMS key.When using the KMS keys in an Amazon CloudHSM key store, be aware that the KMS keys in each Amazon CloudHSM key store share a custom key store request quota for cryptographic operations. If you exceed the quota, Amazon KMS returns a
ThrottlingException
. If the Amazon CloudHSM cluster that is associated with the Amazon CloudHSM key store is processing numerous commands, including those unrelated to the Amazon CloudHSM key store, you might get aThrottlingException
at an even lower rate. If you get aThrottlingException
for any request, lower your request rate and try the commands again. For details about the custom key store request quota, see Custom key store request quotas. -
- Learn more
-
-
To learn more about Amazon CloudHSM key stores, see Amazon CloudHSM key stores.
-
To create KMS keys in an Amazon CloudHSM key store, see Create a KMS key in an Amazon CloudHSM key store.
-
To identify and view KMS keys in an Amazon CloudHSM key store, see Identify KMS keys in Amazon CloudHSM key stores.
-
To find KMS keys and key material in an Amazon CloudHSM key store, see Find KMS keys and key material in an Amazon CloudHSM key store.
-
To learn about special considerations for deleting KMS keys in an Amazon CloudHSM key store, see Deleting KMS keys from an Amazon CloudHSM key store.
-