Related: KMS
FIPS-140-2 Level 3 compliant, better compliance than KMS.
- AWS does not have access to physical module where keys are stored and the physical unit is not Shared as in KMS. Tamper resistant.
- Industry Standard APIs - PKCS#11, Java Cryptography Extensions (JCE), Microsoft CryptoNG (CNG) libraries
- Is not integrated with AWS much. NO SSE-S3
- KMS can use CloudHSM as a custom key store, CloudHSM integration with KMS.
HSM is not HA, to achieve HA deploy them in many AZs and configure them in a cluster
Use-cases
/Attachments/Pasted-image-20230305235802.png)