AWS KMS can technically sign with asymmetric keys, but it speaks REST — not PKCS#11. For PKI workloads that need HSM-backed signing, key export, and multi-tenant isolation, CloudHSM's Crypto User model gives you partition-equivalent isolation without legacy constraints.
AWS KMS doesn't allow key material export by design. When an external PKI partner generates keys but doesn't retain them, you're stuck. Here are the four AWS alternatives — CloudHSM, XKS, Private CA, and fixing the process — with a decision framework to pick the right one.
XKS protects key material from extraction, but does it protect against legal compulsion to use those keys? Updated with AWS European Sovereign Cloud (GA January 2026).