Update management in AWS CloudHSM
AWS manages the firmware. Firmware is maintained by a third party, and must be evaluated by NIST for FIPS 140-2 Level 3 or FIPS 140-3 Level 3 compliance depending on the hsm type. Only firmware that has been cryptographically signed by the FIPS key, which AWS does not have access to, can be installed.