In this chapter, we covered the key services that are used to implement encryption within your AWS environment, specifically, AWS KMS, and AWS CloudHSM. We began with a quick overview of encryption and then understood AWS KMS and its components, including CMKs, DEKs, key material, key policies, and grants. In the section on CloudHSM, we understood how CloudHSM is deployed as a cluster and the cluster architecture, as well as the different types of users and permission levels.
Remember that KMS offers a managed service with the underlying HSMs containing your CMKs hidden and managed by AWS. AWS CloudHSM allows you to deploy your own HSMs within specific subnets of your AWS infrastructure, thereby allowing you to maintain the HSMs themselves with your own key infrastructure.
With the help of this chapter, you are now aware of the differences and similarities between both KMS and CloudHSM and have an understanding of when to use each of them. By applying this knowledge...