1 Answer
- Newest
- Most votes
- Most comments
1
Cloud HSM is pretty expensive. If they want to control the keys they can import their key using BYOK. https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html. Not saying don't use CMK but if the only reason for using HSM is to own the key then that can also be done with KMS
answered a year ago
Thanks for feedback. The purpose of using HSM is regulatory compliance and to not manage (import) CMK and let it to HSM.
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
What are the risks that customer wants to protect against by "possessing the key material"? You are always in control of the key that you create in KMS through the key policy and IAM policy. You have full control over the lifecycle of CMKs. The common pitfall that we see a lot of customers fall into is when they fail to properly evaluate the cost of key management vs. threats they face. Customer often delegate the decision to their compliance/governance team who may not fully understand about AWS and KMS to make informed decision.
Also, one point to note is that migrating between KMS and CloudHSM and vice versa later on is difficult. You would need to recreate the new key, switch other AWS service that was dependent on old key, and re-encrypt the data. You will incur additional charge from respective AWS services to do the operation.
You should take a look at AWS KMS External Key Store.
https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html