AWS CloudHSM is another managed service that is used for data encryption. Being fully managed, many aspects of implementing and maintaining the HSM are abstracted, such as the provisioning of hardware, patching, and backups. Plus it also has the great advantage of automatically scaling on demand.
HSM stands for Hardware Security Module, which is specialized security hardware and validated to FIPS 140-2 Level 3. These HSMs can be used to generate and create your own encryption keys.
Using AWS CloudHSM is required when you require additional control and administrative power over your encryption compared with KMS. Although KMS is supported by its own FIPS-enabled HSM, you have no control over those HSMs behind the service, whereas with CloudHSM, you have control over those modules. You should also be aware that AWS is not able to access your keys or any cryptographic material within your HSMs.
With certain compliance and regulatory requirements...