Explanation: AWS CloudHSM provides secure cryptographic key storage to customers by making hardwaresecurity modules (HSMs) available in the AWS cloud. AWS CloudHSM requires the following environment before an HSM appliance can be provisioned. Avirtual private cloud (VPC) in the region where you want the AWS CloudHSM service. One privatesubnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into thissubnet. One public subnet (a subnet with an Internet gateway attached). The control instances are attachedto this subnet. An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources toAWS CloudHSM. An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client softwareinstalled. This instance is referred to as the control instance and is used to connect to and managethe HSM appliance. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This securitygroup is attached to your control instances so you can access them remotely.