2 Top AWS Encryption Services: Key, CloudHSM

Here’re top AWS encryption servces KMS Vs. CloudHSM. Explained each service for your quick reference.


  1. 2 AWS Encryption Services
  2. AWS kms: Key Managed Service
  3. AWS CloudHSM

Managed Vs. Third Party Service

  • Managed services are the practice of outsourcing the responsibility for maintaining, and anticipating the need for, a range of processes and functions in order to improve operations and cut expenses.
  • It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.

2 AWS Encryption Services

  1. KMS (Key Managed Service & Managed by AWS)
  2. CloudHSM (Managed by third party not AWS)

AWS kms: Key Managed Service

It’s AWS managed service that makes it easy to create and manage encryption keys to encrypt your data across a wide range of AWS services and in your applications.

As a secure, resilient service, AWS KMS uses FIPS 140-2 validated cryptographic modules, known as a hardware security module (HSM), to protect your master keys.

The Federal Information Processing Standards (FIPS) is responsible for defining security requirements for cryptographic modules.

AWS Key Management Features

  • Centralized key management
  • Integration with other AWS services
  • Audit capabilities
  • High availability
  • Custom key store
  • Compliance
  • It supports both Symmetric & Asymmetric encryption


AWS CloudHSM is third party service. It’s validated FIPS 140-2, level-three HSM. The HSM is a computing device that provides a dedicated infrastructure to support cryptographic operations.

Symmetric Encryption.
Use one Key for Symmetric encryption

CloudHSM supports encryption for your application while running in your own Amazon Virtual Private Cloud (Amazon VPC).

The Amazon Elastic Compute Cloud (Amazon EC2) instances can access the CloudHSM device quickly while isolating them from other networks.

Asymmetric Encryption.
Use two Keys for Asymmetric encryption

CloudHSM provides both asymmetric and symmetric encryption capabilities. Additionally, you can use the CloudHSM software libraries to integrate applications with HSMs in your cluster.

The libraries include PKCS #11, Sun Java JCE (Java Cryptography Extension), and Cryptography API: Next Generation (CNG) providers for Microsoft. By using these libraries, you can perform cryptographic operations on the HSMs.

Related Posts

Author: Srini

Experienced software developer. Skills in Development, Coding, Testing and Debugging. Good Data analytic skills (Data Warehousing and BI). Also skills in Mainframe.