Free AWS Security Whitepaper
    Toc Consulting Logo
    comparekms-vs-cloudhsm-vs-acm
    SECURITYPublished 2025-08-01Updated 2025-12-10
    AWS KMSAWS KMS
    vs
    AWS CloudHSMAWS CloudHSM
    vs
    AWS ACMAWS ACM

    KMS vs CloudHSM vs ACM

    AWS encryption services - keys, HSMs, and certificates

    Three AWS encryption services that solve different problems: KMS for managed key management, CloudHSM for dedicated hardware security modules, and ACM for TLS certificate management. KMS protects data at rest, ACM protects data in transit, and CloudHSM provides single-tenant HSMs with full key control.

    Service Overview

    AWS KMS

    AWS KMS

    Managed key management

    Integrated with 100+ AWS services, envelope encryption

    TypeEncryption key management
    Pricing$1/key/month + $0.03/10K requests (symmetric)
    AWS CloudHSM

    AWS CloudHSM

    Dedicated HSM hardware

    FIPS 140-3 Level 3, single-tenant, you control the keys

    TypeHardware security module
    Pricing~$1.45/hour per HSM (~$1,058/month)
    AWS ACM

    AWS ACM

    Certificate management

    Free TLS certs with auto-renewal for CloudFront, ALB, API GW

    TypeTLS/SSL certificate provisioning
    PricingFree (public certs) / $400/CA/month (Private CA)

    Side-by-Side Comparison

    $ diff --side-by-side
    CriteriaKMSCloudHSMACM
    Primary PurposeEncrypt data at rest (keys for S3, EBS, RDS, etc.)Single-tenant HSM for custom crypto (PKCS#11, JCE) and direct key controlEncrypt data in transit (TLS certificates)
    FIPS 140-3 LevelLevel 3 (since Feb 2025)Level 3 (single-tenant, dedicated hardware)N/A (uses KMS or CloudHSM internally)
    Key ControlAWS manages HSM and key material; you manage key policies, grants, and rotationYou manage HSM users, key material, and crypto operations; AWS manages hardware onlyAWS manages certificate private keys
    Key ExportNot possible (keys never leave HSM in plaintext)Yes (wrap and export key material)Not possible (private keys managed by AWS)
    Automatic RotationYes (configurable: 90-2560 days for customer-managed, annual for AWS-managed)ManualYes (auto-renewal before expiry)
    IntegrationsS3, EBS, RDS, Lambda, 100+ servicesCustom apps (PKCS#11, JCE)CloudFront, ALB, API Gateway, Elastic Beanstalk
    Multi-RegionYes (multi-region keys with shared key material)No (per-cluster)No (separate cert per region; CloudFront uses us-east-1 globally)
    Cost$1/key/month~$1,058/HSM/monthFree (public)
    Post-Quantum ReadyYes (NIST PQC algorithms, re:Invent 2025)Custom (you can load PQC algorithms into your HSM)Yes (CloudFront PQ TLS, re:Invent 2025)

    When to Use What

    $ cat DECISION_GUIDE.md
    IFYou need to encrypt S3 objects, EBS volumes, or RDS databases
    THENKMS
    WHYKMS integrates natively with 100+ AWS services. One API call to encrypt/decrypt. Automatic envelope encryption.
    IFYou need single-tenant HSMs with full key control (PCI-DSS, eIDAS)
    THENCloudHSM
    WHYBoth KMS and CloudHSM are FIPS 140-3 Level 3, but CloudHSM gives you dedicated hardware, direct key access, and PKCS#11/JCE interfaces for custom crypto operations.
    IFYou need TLS certificates for your ALB or CloudFront distribution
    THENACM
    WHYFree public certificates with automatic renewal. No reason to buy certificates from a third party for AWS services.
    IFYou need to sign code, issue client certificates, or run a PKI
    THENACM Private CA (+ CloudHSM)
    WHYACM Private CA issues private certificates. For the highest security, back the CA with CloudHSM-stored keys.
    IFYou need encryption keys shared across AWS regions
    THENKMS Multi-Region Keys
    WHYMulti-region keys replicate to other regions with the same key material. Encrypt in one region, decrypt in another.

    Security Insights

    KMS and ACM solve different problems - do not confuse them

    KMS = data at rest (encryption keys for S3, EBS, RDS). ACM = data in transit (TLS certificates for ALB, CloudFront). You need both for a fully encrypted architecture.

    CloudHSM is for single-tenant control and key export - not FIPS level

    Since Feb 2025, KMS is also FIPS 140-3 Level 3. Choose CloudHSM when you need single-tenant dedicated hardware, PKCS#11/JCE interfaces, direct key export, or custom cryptographic operations. KMS is sufficient for most compliance requirements.

    Post-quantum cryptography is here

    re:Invent 2025 announced NIST-standardized post-quantum algorithms in KMS, CloudFront, Private CA, and Secrets Manager. Start planning migration for long-lived data.

    Never export KMS keys

    KMS keys never leave the HSM boundary in plaintext. This is a security feature, not a limitation. If you need exportable keys, use CloudHSM or KMS external key stores.

    Key Takeaways

    $ cat SUMMARY.md
    1.KMS = data at rest, ACM = data in transit, CloudHSM = single-tenant HSM with full key control
    2.ACM public certificates are free - no reason to buy certs from third parties for AWS services
    3.CloudHSM costs ~$1,058/month per HSM - only use when you need single-tenant hardware or PKCS#11
    4.Post-quantum cryptography is available now (re:Invent 2025) in KMS, CloudFront, and Private CA
    5.Use KMS multi-region keys for cross-region encryption without re-encrypting data
    EncryptionKey ManagementTLSCompliance

    Need Architecture Guidance?

    These comparisons are a starting point. Every architecture is different. Contact us for tailored AWS security assessments and architectural guidance.

    All ComparisonsGet in Touch