Generate, store, use and replace your keys(symmetric & asymmetric)

KMS: Multi-tenant Key Management Service

KMS integrates with all storage and database services in AWS

Define key usage permissions (including cross account access)

Automatically rotate master keys once a year

Schedule key deletion to verify if the key is used

Mandatory minimum wait period of 7 days (max-30 days)

CloudHSM: Dedicated single-tenant HSM for regulatory compliance

AWS CANNOT access your encryption master keys in CloudHSM

(Recommendation) Be ultra safe with your keys. Use two or more HSMs in separate AZs.

AWS KMS can use CloudHSM cluster as "custom key store" to store the keys:

AWS Services can continue to talk to KMS for data encryption

(AND) KMS does the necessary integration with CloudHSM cluster

Use Cases: (Web servers) Offload SSL processing, Certificate Authority etc