Amazon CloudHSM

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to manage cryptographic keys on dedicated FIPS 140-2 Level 3 validated, single-tenant HSM instances running within your own VPC for regulatory compliance and data security.

1 APIs 5 Features
CloudHSMSecurityCryptographyHSMCompliance

APIs

Amazon CloudHSM API

API for creating and managing CloudHSM clusters and HSM instances for dedicated hardware-based cryptographic key management.

MCP Servers

Features

FIPS 140-2 Level 3 Validated

Dedicated single-tenant HSM instances meeting the highest FIPS validation levels.

Full Key Control

Complete control over cryptographic keys with no AWS access to key material.

Elastic Capacity

Add or remove HSMs from clusters as needed, paying only for active resources hourly.

High Availability

Multi-AZ HSM clusters provide redundancy and automatic failover.

Industry-Standard APIs

Supports PKCS#11, Java JCE, and Microsoft CNG APIs for application integration.

Use Cases

Data Encryption

Protect sensitive data with hardware-backed encryption keys.

SSL/TLS Offloading

Manage SSL/TLS certificates and private keys in dedicated HSMs.

Certificate Authority

Secure private CA keys for organizations issuing their own certificates.

Database Encryption

Support transparent data encryption (TDE) for Oracle and SQL Server databases.

Regulatory Compliance

Meet PCI DSS, HIPAA, and other regulatory requirements for key management.

Integrations

Amazon RDS

Use CloudHSM keys for Oracle TDE and SQL Server TDE in RDS.

AWS KMS

Use CloudHSM as a custom key store for AWS KMS operations.

Amazon VPC

HSM instances run inside your VPC for network isolation.

AWS IAM

Control access to HSM cluster management operations.

AWS CloudTrail

Audit HSM management API calls via CloudTrail.

API Governance Rules

Amazon CloudHSM API Rules

19 rules · 12 errors 6 warnings 1 info

SPECTRAL

Resources

🔗
TrustCenter
TrustCenter
🔗
VulnerabilityDisclosure
VulnerabilityDisclosure
🔗
DomainSecurity
DomainSecurity
🌐
Portal
Portal
🔗
Website
Website
🔗
Documentation
Documentation
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
💬
Support
Support
📰
Blog
Blog
👥
GitHubOrganization
GitHubOrganization
🌐
Console
Console
📝
SignUp
SignUp
🟢
StatusPage
StatusPage
👥
YouTube
YouTube
👥
StackOverflow
StackOverflow
🔗
Contact
Contact
🔗
Compliance
Compliance
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary
🔗
Packages
Packages
🔗
WellKnown
WellKnown
🔗
SecurityTxt
SecurityTxt
🔗
MCPServer
MCPServer
🔗
LLMsTxt
LLMsTxt
🔗
Conformance
Conformance
🔗
ErrorCatalog
ErrorCatalog
🔗
Lifecycle
Lifecycle

Sources

apis.yml Raw ↑
aid: amazon-cloudhsm
name: Amazon CloudHSM
description: AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to manage cryptographic keys on
  dedicated FIPS 140-2 Level 3 validated, single-tenant HSM instances running within your own VPC for regulatory compliance
  and data security.
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- AWS
- CloudHSM
- Security
- Cryptography
- HSM
- Compliance
url: https://raw.githubusercontent.com/api-evangelist/amazon-cloudhsm/refs/heads/main/apis.yml
created: '2026-03-16'
modified: '2026-06-20'
specificationVersion: '0.19'
apis:
- name: Amazon CloudHSM API
  description: API for creating and managing CloudHSM clusters and HSM instances for dedicated hardware-based cryptographic
    key management.
  image: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
  humanURL: https://aws.amazon.com/cloudhsm/
  baseURL: https://cloudhsm.us-east-1.amazonaws.com
  tags:
  - AWS
  - CloudHSM
  - Security
  - Cryptography
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/
  - type: GettingStarted
    url: https://aws.amazon.com/cloudhsm/getting-started/
  - type: Pricing
    url: https://aws.amazon.com/cloudhsm/pricing/
  - type: FAQ
    url: https://aws.amazon.com/cloudhsm/faqs/
  - type: APIReference
    url: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/
  - type: CLI
    url: https://docs.aws.amazon.com/cli/latest/reference/cloudhsmv2/
maintainers:
- FN: Kin Lane
  email: kin@apievangelist.com
common:
- type: TrustCenter
  url: security/amazon-cloudhsm-trust-center.yml
- type: VulnerabilityDisclosure
  url: security/amazon-cloudhsm-vulnerability-disclosure.yml
- type: DomainSecurity
  url: security/amazon-cloudhsm-domain-security.yml
- type: Portal
  url: https://aws.amazon.com/
- type: Website
  url: https://aws.amazon.com/cloudhsm/
- type: Documentation
  url: https://docs.aws.amazon.com/cloudhsm/latest/APIReference/
- type: TermsOfService
  url: https://aws.amazon.com/service-terms/
- type: PrivacyPolicy
  url: https://aws.amazon.com/privacy/
- type: Support
  url: https://aws.amazon.com/premiumsupport/
- type: Blog
  url: https://aws.amazon.com/blogs/security/
- type: GitHubOrganization
  url: https://github.com/aws
- type: Console
  url: https://console.aws.amazon.com/cloudhsm/
- type: SignUp
  url: https://signin.aws.amazon.com/signup?request_type=register
- type: StatusPage
  url: https://health.aws.amazon.com/health/status
- type: YouTube
  url: https://www.youtube.com/user/AmazonWebServices
- type: StackOverflow
  url: https://stackoverflow.com/questions/tagged/aws-cloudhsm
- type: Contact
  url: https://aws.amazon.com/contact-us/
- type: Compliance
  url: https://aws.amazon.com/compliance/
- type: SpectralRules
  url: rules/amazon-cloudhsm-spectral-rules.yml
- type: Vocabulary
  url: vocabulary/amazon-cloudhsm-vocabulary.yaml
- type: Packages
  url: packages/amazon-cloudhsm-packages.yml
- type: WellKnown
  url: well-known/amazon-cloudhsm-well-known.yml
- type: SecurityTxt
  url: well-known/amazon-cloudhsm-security.txt
- type: MCPServer
  url: mcp/amazon-cloudhsm-mcp.yml
- type: LLMsTxt
  url: llms/amazon-cloudhsm-llms.txt
- type: Conformance
  url: conformance/amazon-cloudhsm-conformance.yml
- type: ErrorCatalog
  url: errors/amazon-cloudhsm-problem-types.yml
- type: Lifecycle
  url: lifecycle/amazon-cloudhsm-lifecycle.yml
- type: Features
  data:
  - name: FIPS 140-2 Level 3 Validated
    description: Dedicated single-tenant HSM instances meeting the highest FIPS validation levels.
  - name: Full Key Control
    description: Complete control over cryptographic keys with no AWS access to key material.
  - name: Elastic Capacity
    description: Add or remove HSMs from clusters as needed, paying only for active resources hourly.
  - name: High Availability
    description: Multi-AZ HSM clusters provide redundancy and automatic failover.
  - name: Industry-Standard APIs
    description: Supports PKCS#11, Java JCE, and Microsoft CNG APIs for application integration.
- type: UseCases
  data:
  - name: Data Encryption
    description: Protect sensitive data with hardware-backed encryption keys.
  - name: SSL/TLS Offloading
    description: Manage SSL/TLS certificates and private keys in dedicated HSMs.
  - name: Certificate Authority
    description: Secure private CA keys for organizations issuing their own certificates.
  - name: Database Encryption
    description: Support transparent data encryption (TDE) for Oracle and SQL Server databases.
  - name: Regulatory Compliance
    description: Meet PCI DSS, HIPAA, and other regulatory requirements for key management.
- type: Integrations
  data:
  - name: Amazon RDS
    description: Use CloudHSM keys for Oracle TDE and SQL Server TDE in RDS.
  - name: AWS KMS
    description: Use CloudHSM as a custom key store for AWS KMS operations.
  - name: Amazon VPC
    description: HSM instances run inside your VPC for network isolation.
  - name: AWS IAM
    description: Control access to HSM cluster management operations.
  - name: AWS CloudTrail
    description: Audit HSM management API calls via CloudTrail.