Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

HSM user types for AWS CloudHSM Management Utility

PDF
RSS
Focus mode
HSM user types for AWS CloudHSM Management Utility - AWS CloudHSM
Precrypto officer (PRECO)Crypto officer (CO)Crypto user (CU)Appliance user (AU)

Most operations that you perform on the hardware security module (HSM) require the credentials of an AWS CloudHSM HSM user. The HSM authenticates each HSM user and each HSM user has a type that determines which operations you can perform on the HSM as that user.

Note

HSM users are distinct from IAM users. IAM users who have the correct credentials can create HSMs by interacting with resources through the AWS API. After the HSM is created, you must use HSM user credentials to authenticate operations on the HSM.

Precrypto officer (PRECO)

In both the cloud management utility (CMU) and the key management utility (KMU), the PRECO is a temporary user that exists only on the first HSM in an AWS CloudHSM cluster. The first HSM in a new cluster contains an PRECO user indicating that this cluster has never been activated. To activate a cluster, you execute the cloudhsm-cli and run the cluster activate command. Log in to the HSM and change the PRECO's password. When you change the password, this user becomes the crypto officer (CO).

Crypto officer (CO)

In both the cloud management utility (CMU) and the key management utility (KMU), a crypto officer (CO) can perform user management operations. For example, they can create and delete users and change user passwords. For more information about CO users, see the HSM user permissions table for AWS CloudHSM Management Utility. When you activate a new cluster, the user changes from a Precrypto Officer (PRECO) to a crypto officer (CO).-->

Crypto user (CU)

A crypto user (CU) can perform the following key management and cryptographic operations.

  • Key management – Create, delete, share, import, and export cryptographic keys.

  • Cryptographic operations – Use cryptographic keys for encryption, decryption, signing, verifying, and more.

For more information, see the HSM user permissions table for AWS CloudHSM Management Utility.

Appliance user (AU)

The appliance user (AU) can perform cloning and synchronization operations on your cluster's HSMs. AWS CloudHSM uses the AU to synchronize the HSMs in an AWS CloudHSM cluster. The AU exists on all HSMs provided by AWS CloudHSM, and has limited permissions. For more information, see the HSM user permissions table for AWS CloudHSM Management Utility.

AWS cannot perform any operations on your HSMs . AWS cannot view or modify your users or keys and cannot perform any cryptographic operations using those keys.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.