AWS KMS can technically sign with asymmetric keys, but it speaks REST — not PKCS#11. For PKI workloads that need HSM-backed signing, key export, and multi-tenant isolation, CloudHSM's Crypto User model gives you partition-equivalent isolation without legacy constraints.
Your board asks 'is our data safe in the cloud?' The answer is not yes or no — it is a classification decision that maps each workload to the right control tier. Here is the framework, with the metadata exposure gap most teams miss.
AWS KMS doesn't allow key material export by design. When an external PKI partner generates keys but doesn't retain them, you're stuck. Here are the four AWS alternatives — CloudHSM, XKS, Private CA, and fixing the process — with a decision framework to pick the right one.
XKS protects key material from extraction, but does it protect against legal compulsion to use those keys? Updated with AWS European Sovereign Cloud (GA January 2026).