# Compliance validation for AWS CloudHSM
For clusters in FIPS mode, AWS CloudHSM provides FIPS-approved HSMs that meet PCI-PIN, PCI-3DS, and SOC2 compliance requirements. AWS CloudHSM also gives customers the option of choosing clusters that are non-FIPS mode. For details on what certification and compliance requirements apply to each, see [AWS CloudHSM cluster modes](cluster-hsm-types.md).
Relying on a FIPS-validated HSM can help you meet corporate, contractual, and regulatory compliance requirements for data security in the AWS Cloud.
**FIPS 140-2 Compliance**
The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies security requirements for cryptographic modules that protect sensitive information. The AWS CloudHSM hsm1.medium instance type is FIPS 140-2 level 3 certified ([Certificate \$14218](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/4218)). On January 4, 2026 the certificate for hsm1.medium moves to the historical list. We recommend customers migrate to hsm2m.medium, which is FIPS 140-3 certified ([Certificate \$14703](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4703)). For more information, refer to [FIPS validation for hardware](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program).
**FIPS 140-3 Compliance**
The Federal Information Processing Standard (FIPS) Publication 140-3 is a US government security standard that specifies security requirements for cryptographic modules that protect sensitive information. The type hsm2m.medium HSMs provided by AWS CloudHSM are FIPS 140-3 level 3 certified ([Certificate \$14703](https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4703)). For more information, refer to [FIPS validation for hardware](https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program).
**[PCI DSS Compliance](https://aws.amazon.com/compliance/pci-dss-level-1-faqs/)**
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard administered by the [PCI Security Standards Council](https://www.pcisecuritystandards.org/). The HSMs provided by AWS CloudHSM comply with PCI DSS.
**[PCI PIN Compliance](compliance-pci-pin-faqs.md)**
PCI PIN provides security requirement and assessment standards for transmitting, processing, and managing personal identification number (PIN) data, information that is used for transactions at ATMs and point-of-sale (POS) terminals. The hsm1.medium and hsm2m.medium HSMs that are provided by AWS CloudHSM are both PCI PIN compliant. For more information, refer to the article [AWS CloudHSM is now PCI PIN certified](https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-pci-pin-certified/).
**PCI-3DS Compliance**
PCI 3DS (or Three Domain Secure, 3-D Secure) provides security of data for EMV 3D secure e-commerce payments. PCI 3DS provides another layer of security for online shopping. The hsm1.medium and hsm2m.medium HSMs that are provided by AWS CloudHSM are both PCI-3DS compliant.
**SOC2**
SOC2 is a framework to help service organizations demonstrate their cloud and data center security controls. AWS CloudHSM has implemented SOC2 controls in critical areas to adhere to the trusted service principles. For further information, refer to [The AWS SOC FAQs page](https://aws.amazon.com/compliance/soc-faqs/).
# AWS CloudHSM PCI-PIN compliance FAQs
PCI PIN provides security requirement and assessment standards for transmitting, processing, and managing personal identification number (PIN) data, information that is used for transactions at ATMs and point-of-sale (POS) terminals.
The PCI-PIN Attestation of Compliance (AOC) and Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. For more information, sign in to [AWS Artifact in the AWS Management Console](https://console.aws.amazon.com/artifact), or learn more at [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
## FAQs
**Q: What is the Attestation of Compliance and Responsibility Summary?**
Attestation Of Compliance (AOC) is produced by a Qualified PIN Assessor (QPA) attesting AWS CloudHSM meets the applicable controls in the PCI-PIN standard. The responsibility summary matrix describes the controls which are the respective responsibilities of AWS CloudHSM and its customers.
**Q: How do I obtain the AWS CloudHSM Attestation of Compliance?**
The PCI-PIN Attestation of Compliance (AOC) is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. For more information, sign in to [AWS Artifact in the AWS Management Console](https://console.aws.amazon.com/artifact), or learn more at [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
**Q: How can I learn which PCI PIN controls I am responsible for?**
For detailed information please see "AWS CloudHSM PCI PIN Responsibility Summary" from the AWS PCI PIN Compliance Package, available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports. For more information, sign in to [AWS Artifact in the AWS Management Console](https://console.aws.amazon.com/artifact), or learn more at [Getting Started with AWS Artifact](https://aws.amazon.com/artifact/getting-started/).
**Q: As an AWS CloudHSM customer, can I rely on PCI-PIN Attestation of Compliance (AOC)? **
Customers must manage their own PCI-PIN compliance. You are required to go through a formal PCI-PIN attestation process through a Qualified PIN Assessor (QPA) to verify that your payment workload satisfies all PCI-PIN controls/requirements. However, for the controls which AWS is responsible for, your QPA can rely on AWS CloudHSM Attestation of Compliance (AOC) without further testing.
**Q: Is AWS CloudHSM responsible for PCI-PIN requirements related to Key Management Life cycle?**
AWS CloudHSM is responsible for the physical device lifecycle of the HSMs. Customers are responsible for the key management life cycle requirements in the PCI-PIN standard.
**Q: Which AWS CloudHSM controls are PCI-PIN compliant?**
The AOC summarizes the AWS CloudHSM controls which are assessed by QPA. The PCI-PIN Responsibility Summary is available to customers through AWS Artifact, a self-service portal for on-demand access to AWS compliance reports.
**Q: Does AWS CloudHSM support payment functions such as PIN translation and DUKPT?**
No, AWS CloudHSM provides general purpose HSMs. Over time we may provide payment functions. Although the service does not perform payment functions directly, the AWS CloudHSM PCI PIN attestation of compliance enables customers to attain their own PCI compliance for their services running on AWS CloudHSM. If you are interested in using AWS Payment Cryptography services for your workload, please refer to the blog ["Move Payment Processing to the Cloud with AWS Payment Cryptography."](https://aws.amazon.com/blogs/aws/new-move-payment-processing-to-the-cloud-with-aws-payment-cryptography/)
# Deprecation Notifications
From time to time, AWS CloudHSM may deprecate functionality in order to remain compliant with the requirements of FIPS 140, PCI-DSS, PCI-PIN, PCI-3DS, SOC2, or because of end-of-support hardware. This page lists the changes that currently apply.
## HSM1 Deprecation
The AWS CloudHSM hsm1.medium instance type will reach its end of support on March 31st, 2026. To ensure continued service, we're introducing the following changes:
+ Starting April 2025, you won't be able to create new hsm1.medium clusters.
+ Starting January 2026, we will begin automatically migrating existing hsm1.medium clusters to the new hsm2m.medium instance type.
The hsm2m.medium instance type is compatible with your current AWS CloudHSM instance type and offers improved performance. To avoid disruption to your applications, you must upgrade to latest version of client SDK. For upgrade instructions, see [Migrating from AWS CloudHSM Client SDK 3 to Client SDK 5](client-sdk-migration.md).
You have two options for migration:
1. Opt in to a CloudHSM-managed migration when you're ready. For more information, [Migrating from hsm1.medium to hsm2m.medium](hsm1-to-hsm2-migration.md).
1. Create a new hsm2m.medium cluster from a backup of your hsm1 cluster and redirect your application to the new cluster. We recommend using a blue/green deployment strategy for this approach. For more information, see [Creating AWS CloudHSM clusters from backups](create-cluster-from-backup.md).
## FIPS 140 Compliance: 2024 Mechanism Deprecation
The National Institute of Standards and Technology (NIST)[1](#dep-notif-1) advises that support for Triple DES (DESede, 3DES, DES3) encryption and RSA key wrap and unwrap with PKCS\$11 v1.5 padding is disallowed after December 31, 2023. Therefore, support for these end on January 1, 2024 in our Federal Information Processing Standard (FIPS) mode clusters. Support for these remain for clusters in non-FIPs mode.
This guidance applies to the following cryptographic operations:
+ Triple DES key generation
+ `CKM_DES3_KEY_GEN` for the PKCS\$111 Library
+ `DESede` Keygen for the JCE Provider
+ `genSymKey` with `-t=21` for the KMU
+ Encryption with Triple DES keys (note: decrypt operations are allowed)
+ For the PKCS \$111 Library: `CKM_DES3_CBC` encrypt, `CKM_DES3_CBC_PAD` encrypt, and `CKM_DES3_ECB` encrypt
+ For the JCE Provider: `DESede/CBC/PKCS5Padding` encrypt, `DESede/CBC/NoPadding` encrypt, `DESede/ECB/Padding` encrypt, and `DESede/ECB/NoPadding` encrypt
+ RSA key wrap, unwrap, encrypt, and decrypt with PKCS\$11 v1.5 padding
+ `CKM_RSA_PKCS` wrap, unwrap, encrypt, and decrypt for the PKCS\$111 SDK
+ `RSA/ECB/PKCS1Padding` wrap, unwrap, encrypt, and decrypt for the JCE SDK
+ `wrapKey` and `unWrapKey` with `-m 12` for the KMU (note `12` is the value for mechanism `RSA_PKCS`)
[1] For details on this change, refer to Table 1 and Table 5 in [ Transitioning the Use of Cryptographic Algorithms and Key Lengths](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf).