CloudHSM vs KMS

CloudHSM

CloudHSM provides you with a FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your VPC to store and use your keys.
You have exclusive control over how your keys are used via an authentication mechanism independent from AWS.
You can use CloudHSM to support a variety of use cases, such as DRM, PKI, document signing, and cryptographic functions using PKCS#11, Java JCE, or Microsoft CNG interfaces.
With CloudHSM, you pay by the hour with no long-term commitments or upfront payments.
- 1 CloudHSM for 730 hours (hours in a month) x 1.45 USD costs 1,058.50 USD per month.

KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console.
The service uses an FIPS HSM that has been validated under FIPS 140-2, or are in the process of being validated, to protect the security of your keys.
Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them.
KMS integration with CloudTrail gives you the ability to audit the use of your keys to support your regulatory and compliance activities.
Each CMK that you create in KMS costs $1/month until you delete it, regardless of where the underlying key material was generated by the service.

Last updated 4 years ago

Was this helpful?

CloudHSM provides you with a FIPS 140-2 Level 3 overall validated single-tenant HSM cluster in your VPC to store and use your keys.
You have exclusive control over how your keys are used via an authentication mechanism independent from AWS.
You can use CloudHSM to support a variety of use cases, such as DRM, PKI, document signing, and cryptographic functions using PKCS#11, Java JCE, or Microsoft CNG interfaces.
With CloudHSM, you pay by the hour with no long-term commitments or upfront payments.
- 1 CloudHSM for 730 hours (hours in a month) x 1.45 USD costs 1,058.50 USD per month.

KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console.
The service uses an FIPS HSM that has been validated under FIPS 140-2, or are in the process of being validated, to protect the security of your keys.
Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them.
KMS integration with CloudTrail gives you the ability to audit the use of your keys to support your regulatory and compliance activities.
Each CMK that you create in KMS costs $1/month until you delete it, regardless of where the underlying key material was generated by the service.

Last updated 4 years ago

Was this helpful?