AWS just released a new service CloudHSM which stands for Cloud Hardware Security Module.
Typically companies that needed their data encrypted before storing into AWS S3, or any other service, needed to manage these encryption keys themselves. Mostly these key were stored on-premise and thus it made hard co-ordinating with application and data in AWS. Also, performance was affected as the application in AWS has to contact on-premise services to use these keys.
Enter, AWS CloudHSM and some of these problems will go away. HSM is a dedicated hardware device that will store cryptography encryption and decryption keys. For any application needing encryption, first a Virtual Private Cloud (VPC) subnet needs to be created, then a HSM is provisioned in that subnet, and the applications in that VPC will then be able to use that HSM device via that ip-address assined to that HSM device. Thus there will be no need to store cryptograpic keys on-premise, making the application fully on cloud, and also decreasing the latency for the cloud applications to access the device.
The device is really expensive at USD 5,000 per device one time cost. Also the per hour rate is $1.88 per hour, making it a costly affair. So its really an enterprise service only suited for medium to large corporations. We would have been thrilled if this service was also provided as a pay per use service, so that at least startups and smaller organisations were able to try it out.
More information on this service: https://aws.amazon.com/cloudhsm/