← Week 1: HSM fundamentals + PKCS#11

Day 6: AWS CloudHSM Architecture

Phase 5 · August 31, 2026

← Week 1: HSM fundamentals + PKCS#11

Agenda (2–3 hours)

  • Read (60 min): AWS CloudHSM User Guide — clusters, initialization, HSM users
  • Study (60 min): CloudHSM vs. SoftHSM2 vs. ACM PCA key management
  • Write (30 min): CloudHSM fit analysis for your provisioning service
← Week 1: HSM fundamentals + PKCS#11

AWS CloudHSM: What It Is

AWS CloudHSM is a managed HSM service that:

  • Provisions FIPS 140-2 Level 3 HSM hardware inside your VPC
  • Gives you exclusive single-tenant access to the HSM
  • Presents a PKCS#11 interface (plus JCE and OpenSSL) via a client library
  • AWS manages the hardware; you manage the keys and HSM users
  • AWS cannot access your key material (unlike KMS)

Contrast with KMS:

AWS KMS AWS CloudHSM
Key material access AWS manages, can decrypt You exclusively control
FIPS level 140-2 Level 2 (software) / Level 3 (XKS) 140-2 Level 3
Tenancy Multi-tenant Single-tenant
Interface AWS API PKCS#11 / JCE / OpenSSL
Use case App key management CA root keys, compliance
← Week 1: HSM fundamentals + PKCS#11

CloudHSM Cluster Model

CloudHSM uses a cluster — multiple HSMs across Availability Zones:

Your VPC:
├── us-east-1a: CloudHSM instance (primary)
├── us-east-1b: CloudHSM instance (replica)
└── us-east-1c: CloudHSM instance (replica)

CloudHSM Client (runs on your EC2/ECS)
└── connects to any HSM in the cluster
    └── keys are automatically synchronized across HSMs

Benefits:

  • HA: if one HSM fails, others serve requests
  • Throughput: multiple HSMs handle concurrent signing requests
  • Geographic redundancy: cross-AZ placement

For your provisioning service: cluster across 3 AZs = can tolerate 2 HSM failures.

← Week 1: HSM fundamentals + PKCS#11

CloudHSM User Types

CloudHSM has three user types (not the same as PKCS#11 CKU_SO/CKU_USER):

User type Purpose Who should be this
Precrypto Officer (PCO) First-time admin; can create the CO AWS CloudHSM service
Crypto Officer (CO) HSM management: create/delete users, change quorum Security team lead
Crypto User (CU) Normal operations: generate keys, sign, encrypt Application service account
Appliance User (AU) Cloning keys across cluster; AWS-managed Internal (you don't create these)

Your provisioning service runs as a Crypto User (CU).
Key ceremony and HSM initialization requires a Crypto Officer (CO).

← Week 1: HSM fundamentals + PKCS#11

Connecting from EC2: The Client Library

CloudHSM provides a client library that implements PKCS#11:

# Install CloudHSM client
wget https://s3.amazonaws.com/cloudhsmv2-software/CloudHsmClient/...
sudo rpm -ivh cloudhsm-client-*.rpm

# Configure with your cluster's IP
sudo /opt/cloudhsm/bin/configure-client -a <cluster-ip>

# Start the client daemon
sudo systemctl start cloudhsm-client

// Your Rust code uses the SAME cryptoki API as with SoftHSM2
// Just change the library path:
let pkcs11 = Pkcs11::new("/opt/cloudhsm/lib/libcloudhsm_pkcs11.so")?;
//                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
//                        CloudHSM client library instead of SoftHSM2

This is why SoftHSM2 is the right dev environment — the code is identical.

← Week 1: HSM fundamentals + PKCS#11

CloudHSM for CA Key Storage

To use CloudHSM as the CA key store for your provisioning service:

Option A: CloudHSM-backed SPIRE CA
  SPIRE server → CloudHSM via PKCS#11 plugin
  (SPIRE KeyManager plugin: "aws_cloudhsm")

Option B: CloudHSM-backed ACM PCA
  ACM PCA with CloudHSM backing
  (Currently: ACM PCA uses AWS-managed HSMs, not customer CloudHSM)
  (CloudHSM is used for self-managed CAs outside ACM PCA)

Option C: EJBCA or custom CA on EC2
  Your CA software → CloudHSM via PKCS#11 for signing
  Separate from ACM PCA

Key insight: If you use ACM PCA, you don't manage the HSM at all.
CloudHSM is only relevant if you're running your own CA software.

← Week 1: HSM fundamentals + PKCS#11

CloudHSM Operational Considerations

Consideration Detail
Cost ~$1.60/hr per HSM × 3 AZs = ~$3,456/month minimum
Initialization Key ceremony required to set up CO; cannot undo without factory reset
Backup CloudHSM backup to S3 (encrypted with your key); cross-region restore
HA setup Minimum 2 HSMs for production; 3 for 2-AZ failure tolerance
Latency ~1-2ms per signing operation (vs. microseconds in software)
Throughput ~3,000 ECDSA P-256 signs/sec per HSM (hardware-limited)
Quorum Multi-person auth available for high-value operations
Audit CloudTrail logs all HSM API calls; HSM-level audit log available

For your provisioning service: if signing volume is low (< 100 certs/day),
CloudHSM cost is hard to justify. ACM PCA is more appropriate.

← Week 1: HSM fundamentals + PKCS#11

CloudHSM vs. ACM PCA: Decision Matrix

Factor CloudHSM ACM PCA
Key control You exclusively AWS-managed
Operations burden High (cluster mgmt, backups, users) Low (managed service)
Cost High (~$3.5K/mo for HA cluster) Low (~$400/mo + per-cert)
Compliance FIPS 140-2 L3, you hold key FIPS 140-2 L3, AWS holds key
Custom CA software Yes (any PKCS#11 app) No (ACM PCA controls issuance)
Integration PKCS#11, JCE, OpenSSL AWS SDK / ACM console
PQC readiness CloudHSM PQC support TBD (~2027) ACM PCA PQC support TBD (~2027)

For Amazon Leo Secure Comms: if compliance requires you to hold the root key,
use CloudHSM. If managed CA is acceptable, use ACM PCA.

← Week 1: HSM fundamentals + PKCS#11

Challenge Assignment

Write a CloudHSM Fit Analysis for your provisioning service
(add to acm-pca-design.md as an appendix or §7):

  1. When would you choose CloudHSM over ACM PCA?
    (What regulatory/compliance requirement would make CloudHSM necessary?)

  2. What is the minimum HA CloudHSM configuration for your provisioning service?
    (How many HSMs, in which AZs, with what backup procedure?)

  3. What is the Crypto User (CU) access pattern?
    (Which process/service needs CU credentials? How are they stored?)

  4. If the CloudHSM cluster is unavailable for 30 minutes:
    (Can new certs be issued? Do existing certs still work? What fails?)

These questions prime Day 15 (failure mode analysis) where you'll answer them rigorously.

← Week 1: HSM fundamentals + PKCS#11

Resources

  • CloudHSM User Guide: docs.aws.amazon.com/cloudhsm/latest/userguide
  • CloudHSM + PKCS#11: docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library.html
  • CloudHSM pricing: aws.amazon.com/cloudhsm/pricing
  • CloudHSM vs. KMS comparison: docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
  • SPIRE KeyManager CloudHSM: github.com/spiffe/spire/tree/main/doc/plugin_server_keymanager_aws_kms.md