I am trying to understand the key management services in AWS (Amazon Web Services) and I can see that Amazon recommends more AWS Key Management Service (KMS) over Cloud Hardware Security Module (Cloud HSM). But I am having a hard time finding the key differences between the two, KMS vs Cloud-HSM.
Can someone please list a few key differences or a comparison of the two technologies?
| Feature | AWS Cloud HSM | AWS KMS |
|---|---|---|
| Tenancy | Single-Tenant | Multi-Tenant |
| High Availability: How to achieve? | Create multiple HSMs (manually) over different AZs | Managed (automatically) by AWS |
| Scaling/Performance Responsibility | Your responsibility | AWS |
| Key access: Who controls it? | You | You+AWS |
| Keys: How to use? | Customer code + Safenet APIs | AWS Management Console |
| Keys: Where to use? | AWS & Your Network (VPN) | AWS |
| AWS Services Integration | A small set of services (Redshift, Oracle RDS etc.) |
Most services fully integrated |
| Access & Authentication Policy | Quorom based K of N | AWS IAM Policy |
| Price | $$ | $ |
| FIPS 140-2 Compliance | Level 3 | Level 3 |
Source: AWS official documentation + multiple courses I took for the AWS exams + practical experience.