AWS has been rapidly expanding their security and encryption offerings. As we integrate our key management platform with AWS, I’ve spent considerable time understanding AWS Key Management Service (KMS) and CloudHSM. These services represent two different approaches to cloud encryption, each with distinct trade-offs. Let me break down what I’ve learned.
AWS KMS: Managed Encryption at Scale
AWS KMS is a managed service that handles key generation, storage, and cryptographic operations. You create a Customer Master Key (CMK) through the AWS console or API, and then use that key to encrypt data or generate data keys for envelope encryption.
The beauty of KMS is its integration with other AWS services. Want to encrypt an S3 bucket? Just specify a KMS key in the bucket configuration, and S3 handles encryption/decryption transparently. Same with EBS volumes, RDS databases, and many other services. KMS makes encryption almost trivial to implement.
From a security perspective, KMS uses FIPS 140-2 validated hardware security modules. Your keys are generated and stored in HSMs, never leaving them in plaintext. AWS handles all the operational overhead: HSM maintenance, firmware updates, key replication for high availability.
The pricing model is straightforward: you pay per key per month, plus per-request fees for cryptographic operations. For most workloads, this is quite economical. A key costs $1/month, and cryptographic operations are a few cents per 10,000 requests.
The KMS Trust Model
Here’s the critical question: do you trust AWS with your keys? When you use KMS, AWS operates the HSMs that protect your keys. AWS employees could theoretically access your keys, though they claim to have controls preventing this.
For many workloads, this trust model is acceptable. AWS has strong security practices, compliance certifications, and a business model that depends on customer trust. The operational benefits of managed encryption often outweigh theoretical trust concerns.
But for highly regulated industries or particularly sensitive data, some organizations can’t accept this trust model. Banking regulations might require that the organization maintain exclusive control over cryptographic keys. This is where CloudHSM comes in.
CloudHSM: Dedicated HSM Instances
AWS CloudHSM provides dedicated HSM devices in AWS data centers, but you control them exclusively. AWS provisions the hardware and ensures it’s connected to your VPC, but they don’t have the credentials to access it. You initialize the HSM, set authentication credentials, and manage keys entirely yourself.
CloudHSM uses SafeNet Luna HSMs, the same hardware we use on-premises at Thales. This is actually quite convenient for us - we can use the same PKCS#11 libraries and integration patterns whether targeting on-premises HSMs or CloudHSM.
The trust model is fundamentally different from KMS. With CloudHSM, only you have the credentials to access cryptographic operations. AWS can’t access your keys even if compelled by legal process (they could only hand over the physical device, which is designed to zeroize if tampered with).
CloudHSM Challenges
Greater control comes with greater responsibility. With CloudHSM, you’re managing HSM operations yourself. This includes:
- Initializing the HSM with security officer credentials
- Managing crypto officer credentials for key operations
- Implementing high availability through HSM clustering
- Handling firmware updates and patches
- Monitoring HSM health and performance
- Backing up key material securely
We’ve built automation around these operations, but it’s still significantly more complex than using KMS. You need people who understand HSM operations, not just how to call an API.
CloudHSM is also more expensive. Each HSM costs around $1.50/hour (about $1,000/month), and you typically need at least two for high availability. Compared to KMS’s $1/month per key, CloudHSM makes sense only when you have specific compliance requirements or a high volume of cryptographic operations.
Performance Characteristics
KMS is a regional service accessed over HTTPS APIs. Each cryptographic operation requires an API call, which introduces latency. For high-performance applications, this can be a bottleneck. We’ve measured KMS operation latency at 10-20ms in the same region.
CloudHSM offers lower latency because it’s in your VPC. You access it using PKCS#11 libraries over private network connections. Latency for CloudHSM operations is typically under 5ms. For applications performing thousands of cryptographic operations per second, this difference matters.
Both services support envelope encryption patterns where the HSM/KMS only encrypts data keys, not data itself. This is essential for high-throughput applications. But even with envelope encryption, you need to decrypt data keys periodically, and KMS latency can add up.
Integration Patterns
We’re building our platform to support both KMS and CloudHSM as key storage backends. This gives customers choice based on their specific requirements.
For KMS integration, we use the AWS SDK to call KMS APIs. The SDK handles authentication using IAM roles, retries on transient failures, and connection pooling. It’s relatively straightforward, though we’ve added caching layers to reduce KMS calls and latency.
CloudHSM integration uses PKCS#11 libraries, the same interface we use for on-premises HSMs. This code path is more complex because we’re managing lower-level details: connection pooling, session management, error handling for HSM-specific error codes.
One interesting challenge is cross-region operation. KMS keys are regional - a key created in us-east-1 can’t be used in eu-west-1. For global applications, you need keys in multiple regions or accept cross-region latency. CloudHSM has the same regional constraint, but you can cluster HSMs across regions using VPC peering.
Key Rotation
Both services support key rotation, but with different approaches. KMS provides automatic key rotation where AWS generates a new cryptographic key annually while maintaining the same CMK identifier. Old key versions are retained to decrypt data encrypted with them, but new encryptions use the current version.
This is elegant from a operational perspective - key rotation happens without application changes. But you’re trusting AWS to implement rotation correctly and securely manage key versions.
With CloudHSM, key rotation is your responsibility. You generate new keys, update applications to use them, and manage the transition period when old keys are still needed for decryption. It’s more work, but some compliance requirements mandate this level of control over key lifecycle.
Audit and Compliance
Both KMS and CloudHSM integrate with AWS CloudTrail for audit logging. Every key operation - encryption, decryption, key generation, key deletion - is logged with details about who made the request, when, and from where.
This audit capability is critical for compliance. We can demonstrate to auditors exactly when a particular key was used to decrypt sensitive data, who authorized the operation, and what application made the request.
CloudHSM provides additional audit capabilities through the HSM’s own logging. This provides defense-in-depth: even if CloudTrail logs were somehow compromised, the HSM maintains its own record of cryptographic operations.
When to Use Each Service
After integrating with both, here’s my recommendation:
Use KMS when:
- You want minimal operational overhead
- AWS’s trust model is acceptable for your compliance requirements
- Cost is a significant factor
- You need tight integration with other AWS services
- You’re encrypting data at rest in AWS services
Use CloudHSM when:
- Regulations require exclusive control over cryptographic keys
- You need high-performance cryptographic operations (thousands per second)
- You want to use the same HSM technology on-premises and in cloud
- You have HSM expertise in your organization
- You’re implementing complex cryptographic workflows beyond basic encryption/decryption
Multi-Cloud Considerations
An interesting challenge we’re tackling is multi-cloud key management. How do you provide consistent key management across AWS KMS, Azure Key Vault, and on-premises HSMs?
Our approach is building an abstraction layer that presents a unified API regardless of backend. Applications request key operations through our API, and we route to the appropriate backend (KMS, CloudHSM, on-premises HSM) based on policy and configuration.
This allows customers to start with KMS for convenience and migrate to CloudHSM or on-premises HSMs as requirements evolve, without changing application code.
Looking Ahead
AWS continues to expand KMS capabilities. They recently added support for importing your own key material, which provides some middle ground between fully managed KMS and dedicated CloudHSM.
I’m also watching AWS’s work on encryption contexts and grants, which enable fine-grained access control for encryption operations. These features are making KMS increasingly capable for enterprise use cases.
Key Takeaways
For teams evaluating AWS encryption options:
- Start with KMS unless you have specific requirements for CloudHSM
- Understand your compliance requirements before committing to either approach
- Use envelope encryption to minimize direct HSM/KMS operations
- Implement comprehensive CloudTrail logging for both services
- Plan for multi-region deployments from the start
- Consider total cost of ownership, including operational complexity, not just service pricing
AWS’s encryption offerings are maturing rapidly. Whether you choose KMS or CloudHSM, you can build secure cloud applications with proper key management. The key (pun intended) is understanding the trade-offs and choosing the approach that aligns with your specific security, compliance, and operational requirements.