Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

    Projects Cryptographic Module Validation Program Validated Modules Search

Cryptographic Module Validation Program CMVP

Certificate #4884

Details

Module Name
AWS Key Management Service HSM
Standard
FIPS 140-3
Status
Active
Sunset Date
11/17/2026
Overall Level
3
Caveat
Interim validation. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs
Security Level Exceptions
  • Operational environment: N/A
  • Non-invasive security: N/A
  • Mitigation of other attacks: N/A
Module Type
Hardware
Embodiment
Multi-Chip Stand Alone
Description
The Amazon AWS Key Management Service HSM is a multi-chip standalone hardware cryptographic appliance designed to provide dedicated cryptographic functions to meet the security and scalability requirements of the AWS Key Management Service (KMS). The cryptographic boundary is defined as the secure chassis of the appliance. All key materials are maintained exclusively in volatile memory in the appliance and are erased immediately upon detection of physical tampering.
Tested Configuration(s)
  • N/A
Approved Algorithms
AES-CBC
A1908
AES-CTR
A1908
AES-ECB
A1908
AES-GCM
A1908
AES-KWP
A1908
Conditioning Component AES-CBC-MAC SP800-90B
A1791
Counter DRBG
A1908
ECDSA KeyGen (FIPS186-4)
A1908
ECDSA KeyVer (FIPS186-4)
A1908
ECDSA SigGen (FIPS186-4)
A1908
ECDSA SigGen (FIPS186-4)
A1908
ECDSA SigVer (FIPS186-4)
A1908
HMAC-SHA-1
A1908
HMAC-SHA2-256
A1908
HMAC-SHA2-384
A1908
HMAC-SHA2-512
A1908
KAS-ECC Sp800-56Ar3
A1908
KAS-ECC Sp800-56Ar3
A1908
KDA OneStep Sp800-56Cr1
A1908
KDF SP800-108
A1910
KTS-IFC
A1908
RSA Decryption Primitive
A1908
RSA KeyGen (FIPS186-4)
A1908
RSA SigGen (FIPS186-4)
A1908
RSA Signature Primitive
A1908
RSA SigVer (FIPS186-4)
A1908
SHA-1
A1908
SHA2-256
A1908
SHA2-384
A1908
SHA2-512
A1908
Allowed Algorithms
ECDSA secp256k1 (key agreement; key establishment methodology provides 128 bits of encryption strength; [IG C.A] Curves: secp256k1 may only be used in block-chain related applications)
Entropy
ENT (P)
Hardware Versions
3.0
Firmware Versions
1.8.104

Vendor

Amazon Web Services, Inc.
410 Terry Ave N
Ste 1200
Seattle, WA 98109-5210
USA

Jeff Fiedler
jefffied@amazon.com
Phone: 000-000-0000
 Ken Beer
kenbeer@amazon.com

Related Files

Security Policy

Validation History

Date Type Lab
11/18/2024 Initial ACUMEN SECURITY, LLC