CloudHSM vs KMS

CloudHSM

  • CloudHSM provides you with a FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your VPC to store and use your keys.

  • You have exclusive control over how your keys are used via an authentication mechanism independent from AWS.

  • You can use CloudHSM to support a variety of use cases, such as DRM, PKI, document signing, and cryptographic functions using PKCS#11, Java JCE, or Microsoft CNG interfaces.

  • With CloudHSM, you pay by the hour with no long-term commitments or upfront payments.

    • 1 CloudHSM for 730 hours (hours in a month) x 1.45 USD costs 1,058.50 USD per month.

KMS

  • KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console.

  • The service uses an FIPS HSM that has been validated under FIPS 140-2, or are in the process of being validated, to protect the security of your keys.

  • Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them.

  • KMS integration with CloudTrail gives you the ability to audit the use of your keys to support your regulatory and compliance activities.

  • Each CMK that you create in KMS costs $1/month until you delete it, regardless of where the underlying key material was generated by the service.

PreviousKMS Encryption ContextNextS3 Data Encryption

Last updated

Was this helpful?