Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

Abstract: A virtual hardware security module (“HSM”) is used to perform cryptographic operations. The virtual HSM may provision and coordinate requests between one or more HSMs within a fleet of HSMs. A set of cryptographic keys and/or digital certificates may be exchanged between a client and the virtual HSM such that the client and the virtual HSM may communicate with each other via a cryptographically protected communication session. The fleet of HSMs of a virtual HSM may be scaled up or scaled down according to various criteria. Cryptographic key material may be propagated between HSMs of the fleet using a fleet transfer key. Digital certificates may be used to demonstrate that one or more cryptographic keys were generated by a service provider and/or manufacturer.

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: A virtual hardware security module (“HSM”) is used to perform cryptographic operations. The virtual HSM may provision and coordinate requests between one or more HSMs within a fleet of HSMs. A set of cryptographic keys and/or digital certificates may be exchanged between a client and the virtual HSM such that the client and the virtual HSM may communicate with each other via a cryptographically protected communication session. The fleet of HSMs of a virtual HSM may be scaled up or scaled down according to various criteria. Cryptographic key material may be propagated between HSMs of the fleet using a fleet transfer key. Digital certificates may be used to demonstrate that one or more cryptographic keys were generated by a service provider and/or manufacturer.

Abstract: A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

Abstract: A virtual hardware security module (“HSM”) is used to perform cryptographic operations. The virtual HSM may provision and coordinate requests between one or more HSMs within a fleet of HSMs. A set of cryptographic keys and/or digital certificates may be exchanged between a client and the virtual HSM such that the client and the virtual HSM may communicate with each other via a cryptographically protected communication session. The fleet of HSMs of a virtual HSM may be scaled up or scaled down according to various criteria. Cryptographic key material may be propagated between HSMs of the fleet using a fleet transfer key. Digital certificates may be used to demonstrate that one or more cryptographic keys were generated by a service provider and/or manufacturer.

Abstract: A virtual cryptographic module is used to perform cryptographic operations. The virtual cryptographic module may include a fleet of cryptographic modules and a load balancer that determines when a cryptographic module should be added to or removed from the fleet. The fleet size may be adjusted based on detecting a set of conditions that includes the utilization level of the fleet. One or more cryptographic modules of the fleet may be used to fulfill requests to perform cryptographic operations. A cryptographic module may be a hardware security module (“HSM”).

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: Systems, devices and processes are described for implementing an access heartbeat role on a hardware security module (HSM) that stores secure data on behalf of a secure data owner. Heartbeat and access credentials are established and distributed by the HSM. Access to the secure data is prevented unless the HSM receives valid heartbeats prior to a time expiration along with a valid access request. Generally, heartbeats are signed messages and include heartbeat credentials. Access requests may also be signed messages and include access credentials. The access credentials may be suspended, revoked or the entire HSM may be zeroized (e.g., plaintext keys erased), dependent upon a failure to receive valid heartbeats in a timely fashion. Heartbeats may be required from multiple entities, in some embodiments. Some example configurable features include heartbeat expiration time, the source of the credentials, the access denial options, and how many sources of distinct heartbeats are required.

Abstract: Secure operations can be performed using security module instances offered as a web service through a resource provider environment. State data and cryptographic material can be loaded and unloaded from the instance as needed, such that the instance can be reused for operations of different customers. The material and data can be stored as a bundle encrypted using a key specific to the hardware security module and a key specific to the resource provider, such that the bundle can only be decrypted in an instance of that type of security module from the associated manufacturer and operated by that particular resource provider. The customer is then only responsible for the allocation of that instance during the respective cryptographic operation(s).

Abstract: Techniques for determining age-content type appropriate ratings for a media on behalf of a user may be provided. For example, information about age-content type appropriate ratings for a plurality of media works may be maintained where the information is associated with a particular user. A determination of whether the particular user has consumed a media work in response to receiving an indication that a user is browsing to the media work in a user interface may be provided. A group that the user belongs to may be identified based on other users that have specified age-content type appropriate ratings for the plurality of media works that are within a range of ratings provided by the user for the plurality of media works. Age-content appropriate ratings for the media work may be determined for the particular user based on an algorithm using the information and the ratings specified by the group.