aws_cloudhsm_v2_hsm cost estimation

An aws_cloudhsm_v2_hsm provisions a dedicated FIPS 140-2 Level 3 hardware security module for managing encryption keys you control exclusively. Cost is per HSM-hour (~$1.60/hour, ~$1,168/month per HSM), billed continuously while the HSM exists.

The number that matters for planning is that one HSM isn't a production deployment. CloudHSM HSMs are single instances; high availability and durability require a cluster of at least two HSMs across Availability Zones — so a realistic production CloudHSM is ~$2,336/month and up. There's no per-operation or per-key charge; you pay for the dedicated hardware.

CloudHSM exists for specific requirements: regulatory mandates for single-tenant, customer-controlled key hardware (FIPS 140-2 L3), or workloads where AWS KMS's shared, multi-tenant model isn't acceptable. For the vast majority of encryption needs, AWS KMS (a few dollars per key per month, fractions of a cent per request) is dramatically cheaper. CloudHSM is only justified when compliance specifically demands dedicated HSMs.

c3x prices each HSM at the per-hour rate, so this substantial standing cost — and the multiplier for an HA cluster — is visible before deployment.

Terraform example

A minimal but realistic configuration that C3X can estimate.

resource "aws_cloudhsm_v2_cluster" "main" { hsm_type = "hsm1.medium" subnet_ids = aws_subnet.private[*].id } resource "aws_cloudhsm_v2_hsm" "primary" { cluster_id = aws_cloudhsm_v2_cluster.main.cluster_id subnet_id = aws_subnet.private[0].id }

Dimension	Unit	What's being charged
HSM instance	per hour	Per dedicated HSM-hour, billed continuously. No per-key or per-operation charge — you pay for the hardware. ~$1.60/hour ≈ $1,168/month per HSM

Dimension

Unit

What's being charged

HSM instance

per hour

Per dedicated HSM-hour, billed continuously. No per-key or per-operation charge — you pay for the hardware.

~$1.60/hour ≈ $1,168/month per HSM

Optimization tips

Common ways to reduce aws_cloudhsm_v2_hsm cost without changing the workload.

Use AWS KMS unless you truly need dedicated HSMs

Thousands/month when KMS suffices

CloudHSM (~$1,168/month per HSM, ~$2,336+ for HA) is justified only when compliance specifically mandates single-tenant, customer-controlled FIPS 140-2 L3 hardware. For nearly all encryption needs, AWS KMS — a few dollars per key plus fractions of a cent per request — is dramatically cheaper.

Right-size the cluster to your HA requirement

~$1,168/month per HSM avoided

Production needs at least two HSMs across AZs for availability, but more than two is rarely necessary for most key workloads. Don't over-provision HSMs beyond your throughput and resilience needs — each is ~$1,168/month.

Share one cluster across applications

Per avoided cluster

A single CloudHSM cluster can serve multiple applications and key needs. Don't stand up separate clusters per app when one cluster's HSMs can handle the aggregate load.

FAQ

How much does AWS CloudHSM cost?

Per HSM-hour — ~$1.60/hour, about $1,168/month per HSM — billed continuously, with no per-key or per-operation charge. Production high availability needs at least two HSMs across AZs, so a realistic deployment is ~$2,336/month and up.

CloudHSM or KMS?

KMS for almost everything — it's a few dollars per key per month plus fractions of a cent per request. CloudHSM (~$1,168/month per HSM) is only worth it when compliance specifically requires single-tenant, customer-controlled FIPS 140-2 Level 3 hardware that KMS's multi-tenant model can't satisfy.

How does c3x estimate the cost?

It prices each aws_cloudhsm_v2_hsm at the per-hour rate. Given the scale and that production needs ≥2 HSMs, seeing the standing cost (and the HA multiplier) before deployment matters.

`aws_cloudhsm_v2_hsm` cost estimation

Terraform example

Pricing dimensions

Sample C3X output