AWS CloudHSM Performance

For production clusters, you should have at least two HSM instances spread across different availability zones in a region. We recommend load testing your cluster to determine the peak load you should anticipate, and then add one more HSM to it to ensure high availability. For applications requiring durability of newly generated keys, we recommend at least three HSM instances spread across different availability zones in a region.

Performance data

The performance of AWS CloudHSM clusters vary based on specific workload. To increase performance, you can add additional HSM instances to your clusters. Performance can vary based on configuration, data size, and additional application load on your EC2 instances. We encourage load testing your application to determine scaling needs.

The following table shows approximate performance for common cryptographic algorithms running on an EC2 instance with hsm1.medium instances.

Performance data for hsm1.medium
Operation	Two-HSM cluster¹	Three-HSM cluster²	Six-HSM cluster³
RSA 2048-bit sign	2,000 ops/sec	3,000 ops/sec	5,000 ops/sec
EC P256 sign	500 ops/sec	750 ops/sec	1,500 ops/sec

[1] A two-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance with one HSM in the same AZ as the EC2 instance.
[2] A three-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance with one HSM in the same AZ as the EC2 instance.
[3] A six-HSM cluster with the Java multi-threaded application running on one c4.large EC2 instance with two HSMs in the same AZ as the EC2 instance.

HSM throttling

When your workload exceeds your cluster’s HSM capacity, you will receive error messages stating HSMs are busy or throttled. For details on what to do when this happens, see HSM Throttling

Document Conventions

CloudWatch metrics

Security