AWS CloudHSM V2

Name: AWS CloudHSM V2 API
Brand: AWS CloudHSM V2
Availability: InStock

★ Only Publicly Available SpecSecuritySecrets Managementhmac15 EndpointsREST

For Agents

Provision and manage dedicated AWS CloudHSM clusters, individual HSMs, and encrypted backups for FIPS 140-2 Level 3 key custody. Backed by 15 cluster, HSM, and backup operations.

Quickstart

Get started with AWS CloudHSM V2 in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a CloudHSM cluster"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with AWS CloudHSM V2 API.

Create CloudHSM clusters in a target VPC and initialize them with a customer trust anchor

Add or delete individual HSM appliances within a cluster to scale cryptographic capacity

Take, describe, and restore CloudHSM backups, including modifying backup retention

Copy CloudHSM backups to a second AWS region for disaster recovery

GET STARTED

Start building with AWS CloudHSM V2 API

Explore with Jentic

View OpenAPI Spec

Jentic publishes the only available OpenAPI specification for AWS CloudHSM V2, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for AWS CloudHSM V2, keeping it validated and agent-ready. AWS CloudHSM V2 provides single-tenant, FIPS 140-2 Level 3 hardware security modules in your VPC for generating and using cryptographic keys. Agents can create and manage HSM clusters, provision individual HSMs, take and restore backups, and copy backups across regions. The service is intended for workloads with strict key custody, compliance, or BYOK requirements where AWS KMS multi-tenant HSMs are not sufficient.

Use Cases

Patterns agents use AWS CloudHSM V2 API for, with concrete tasks.

★ FIPS 140-2 Level 3 Key Custody for Regulated Workloads

Financial services, healthcare, and government workloads that must hold cryptographic keys in FIPS 140-2 Level 3 hardware can use CloudHSM V2 to provision dedicated HSM clusters inside a VPC. The API creates the cluster, attaches HSMs, and manages the backup lifecycle, so an agent can stand up compliant key storage without console clicks. Typical clusters use 2-3 HSMs across availability zones for high availability.

Create a CloudHSM cluster in subnets subnet-aaa and subnet-bbb, then add two HSMs to the cluster

Cross-Region Disaster Recovery for Cryptographic Material

Use CopyBackupToRegion to replicate a CloudHSM backup from a primary region to a secondary region so that a new cluster can be restored from it if the primary region becomes unavailable. The API supports listing backups, modifying retention attributes, and restoring backups marked for deletion within their retention window. This pattern is required by many DR runbooks for HSM-protected workloads.

Copy backup backup-1234 from us-east-1 to us-west-2 and verify the destination backup reaches READY state

Programmatic HSM Fleet Tagging and Inventory

Operations teams managing many CloudHSM clusters across accounts can use ListTags, TagResource, and UntagResource to enforce a tagging standard for cost allocation, ownership, and compliance scope. DescribeClusters and DescribeBackups expose cluster state and backup metadata so an agent can produce an up-to-date inventory of HSM resources and their lifecycle status.

List all CloudHSM clusters in the current account and tag any without a CostCenter tag with CostCenter=unassigned

AI Agent Integration via Jentic

Through Jentic, an AI agent uses the CloudHSM V2 API by searching for an intent like 'create a CloudHSM cluster', loading the schema for CreateCluster, and executing the call with VPC subnet IDs and HSM type. The agent never sees raw AWS access keys — Jentic signs the SigV4 request server-side using credentials stored in the MAXsystem vault.

Search Jentic for 'create a CloudHSM cluster', load the CreateCluster schema, and execute it for HSM type hsm1.medium in the supplied subnet IDs

Key Endpoints

15 endpoints — jentic publishes the only available openapi specification for aws cloudhsm v2, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/#X-Amz-Target=BaldrApiService.CreateCluster

Create a CloudHSM cluster in a VPC

POST

/#X-Amz-Target=BaldrApiService.CreateHsm

Provision an HSM inside an existing cluster

POST

/#X-Amz-Target=BaldrApiService.InitializeCluster

Initialize a cluster with a signed trust anchor

POST

/#X-Amz-Target=BaldrApiService.DescribeClusters

List and describe CloudHSM clusters

POST

/#X-Amz-Target=BaldrApiService.DescribeBackups

List backups for clusters in the account

POST

/#X-Amz-Target=BaldrApiService.CopyBackupToRegion

Copy a backup to a second region for DR

POST

/#X-Amz-Target=BaldrApiService.RestoreBackup

Restore a backup pending deletion

POST

/#X-Amz-Target=BaldrApiService.DeleteCluster

Delete an empty CloudHSM cluster

POST

/#X-Amz-Target=BaldrApiService.CreateCluster

Create a CloudHSM cluster in a VPC

POST

/#X-Amz-Target=BaldrApiService.CreateHsm

Provision an HSM inside an existing cluster

POST

/#X-Amz-Target=BaldrApiService.InitializeCluster

Initialize a cluster with a signed trust anchor

POST

/#X-Amz-Target=BaldrApiService.DescribeClusters

List and describe CloudHSM clusters

POST

/#X-Amz-Target=BaldrApiService.DescribeBackups

List backups for clusters in the account

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS access key ID, secret key, and optional session token are stored encrypted in the Jentic MAXsystem vault. Agents call CloudHSM V2 via Jentic, which computes the SigV4 signature server-side — raw AWS credentials never enter the agent's context.

Intent-based discovery

Agents search by intent (e.g. 'create a CloudHSM cluster' or 'copy HSM backup to region') and Jentic returns the matching CloudHSM V2 operation with its input schema, so the agent can call CreateCluster or CopyBackupToRegion without browsing AWS docs.

Time to first call

Direct AWS SDK integration: 1-3 days to handle SigV4, IAM permissions, retries, and cluster state polling. Through Jentic: under 1 hour — search, load schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

AWS Certificate Manager

ACM issues and manages public and private TLS certificates that often consume keys protected by CloudHSM

Choose ACM when the workload needs managed TLS certificates rather than direct HSM key custody.

Complementary

AWS Security Hub

Security Hub aggregates compliance findings, including controls that verify HSM-backed key usage

Use Security Hub when the agent needs to evaluate whether CloudHSM is configured per CIS or PCI DSS controls.

Complementary

Amazon GuardDuty

GuardDuty detects suspicious activity in the AWS account hosting the CloudHSM cluster

Use GuardDuty alongside CloudHSM to detect IAM or network anomalies that could indicate cluster tampering.

FAQs

Specific to using AWS CloudHSM V2 API through Jentic.

Why is there no official OpenAPI spec for AWS CloudHSM V2?

AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call AWS CloudHSM V2 via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the AWS CloudHSM V2 API use?

CloudHSM V2 uses AWS Signature Version 4 (HMAC) signed requests with an IAM access key ID and secret key, plus a session token if using temporary credentials. Through Jentic, those credentials live in the MAXsystem vault and the SigV4 signature is computed server-side, so the agent context never contains the raw secret.

Can I create and initialize a CloudHSM cluster with this API?

Yes. Call CreateCluster with a list of VPC subnet IDs and an HSM type, then call CreateHsm to add HSM appliances, and finally InitializeCluster with a signed certificate from your customer CA to bring the cluster to ACTIVE state.

How do I take and copy a CloudHSM backup across regions?

Backups are taken automatically on cluster changes. Use DescribeBackups to find the backup ID, then call CopyBackupToRegion with the destination region to replicate it. The destination backup gets a new BackupId you can later pass to a CreateCluster SourceBackupId in that region.

What are the rate limits for the AWS CloudHSM V2 API?

AWS CloudHSM V2 enforces standard AWS service throttling — most control-plane calls (CreateCluster, CreateHsm, DescribeBackups) are limited to a small number of TPS per account per region, and throttled responses return ThrottlingException. Use exponential backoff; the AWS SDKs that Jentic wraps already implement this.

How do I provision a CloudHSM cluster with an AI agent through Jentic?

Run pip install jentic, then have the agent search for 'create a CloudHSM cluster', load the CreateCluster schema, and execute it with the SubnetIds and HsmType parameters. Follow with CreateHsm for each HSM and DescribeClusters to poll for ACTIVE state.