I just listened to the CloudHSM intro lecture, and having looked into the encryption offerings quite a bit over the last few months, I was a bit puzzled.
I was under the impression that in CloudHSM v1, what you got was an actual dedicated Safenet hardware appliance sitting in an AWS datacenter, and the hardware nature of that is most of what led to the relatively prohibitive pricing (though not that bad compared to typical market pricing for an HSM…).
And now with CloudHSM v2 moving to Cavium, my understanding is that AWS is providing you with dedicated virtual HSM instances running on specialized Cavium hardware. And indeed the FAQ says this:
Q: Do I share my CloudHSM with other AWS customers?
No. As part of the service you receive single-tenant access to the HSM. Underlying hardware may be shared with other customers, but the HSM is accessible only to you.
I interpret that as saying: AWS manages the Cavium HW using admin roles and provides the customer with crypto role access to the virtual HSM instances it builds on top. So the effect is still that AWS does not have access to the keys or associated crypto operations, but there is still some mutualization involved on the HW level.
I would suggest this section of the course be amended to clarify this as it feels like an important distinction (I do not know whether or not said distinction is relevant from a compliance point of view though).
Did I get this wrong ?
On an additional note, I think the difference between using KMS and using CloudHSM should be clarified in the course. When you first read the description they sound very similar, but they are really quite distinct.