Cloud HSM is a dedicated hardware security module (HSM) which is used to securely (to levels accepted by government organizations) generate, secure and manage cryptographic keys for data encryption.
CloudHSM can be deployed in a cluster of up to 32 individual HSM, spread across multiple availability zones. Keys are automatically synchronised & load balanced between each node in the cluster.
The cloud HSM must be part of a VPC in order to benefit from the additional layer of isolation and security. Within the VPC, you can configure a client on your EC2 instances that allows applications to use the HSM cluster over a secure, authenticated network connection.
That said, the application doesn’t have to reside in same VPC but must have network connectivity to all HSMs in cluster, which can be achieved through VPC peering, VPN connectivity or Amazon Direct Connect. In some use cases, it is possible sync keys between your AWS HSM with on-premise HSMs.
CloudHSM is integrated with Oracle DB, SQL Server, Apache, NGINX with relative ease due to existing compatibility.
You should use CloudHSM instead of AWS KMS if you need your cryptographic keys under your exclusive control. This is because CloudHSM is a single-tenanted platform, while KMS is multi-tenanted.
CloudHSM achieves FIPS 140-2 compliance.
Key Management Service (KMS)
KMS is a highly available key storage service which enables you to easily create, use, protect, manage and audit your encryption keys.
From a management perspective, KMS enables you to temporarily disable keys, delete old keys and audit the use of the keys via CloudTrail. You can create new encryption keys through the service or you can import your existing encryption keys.
You can define IAM users & roles that can manage keys and that can encrypt or decrypt data.
KMS offers PCI DSS compliant encryption standards and utilizes 256 bit keys.
Note: The KMS service limits you to creating 1,000 master keys per account per region and those master keys cannot be exported to used on on-premise applications.