AWS CloudHSM performance information
For production AWS CloudHSM clusters, you should have at least two hardware security module (HSM) instances spread across different availability zones in a region. We recommend load testing your cluster to determine the peak load you should anticipate, and then add one more HSM to it to ensure high availability. For applications requiring durability of newly generated keys, we recommend at least three HSM instances spread across different availability zones in a region.
Performance data
The performance of AWS CloudHSM clusters vary based on specific workload. To increase performance, you can add additional HSM instances to your clusters. Performance can vary based on configuration, data size, and additional application load on your EC2 instances. We encourage load testing your application to determine scaling needs.
The following table shows approximate performance for common cryptographic algorithms running on an EC2 instance with hsm1.medium instances.
The following table shows approximate performance for common cryptographic algorithms running on an EC2 instance with hsm2m.medium.
-
[1] A two-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance
with one HSM in the same AZ as the EC2 instance. -
[2] A three-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance
with one HSM in the same AZ as the EC2 instance. -
[3] A six-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance
with two HSMs in the same AZ as the EC2 instance.
HSM throttling
When your workload exceeds your cluster’s HSM capacity, you will receive error messages stating HSMs are busy or throttled. For details on what to do when this happens, see HSM throttling
