AWS CloudHSM provides hardware security modules (HSM) that are maintained in the AWS Cloud. As with any HSM, you can use the AWS CloudHSM to generate and store keys and also perform an array of operations including importing/exporting keys, encrytion/decrytion, signing, calculating message digests etc. AWS CloudHSM Signer allows you to generate an ethereum signing key, and use it to sign and submit transactions.
To give an overview of the architecture, the Kaleido CloudHSM service communicates with the AWS CloudHSM to get a transaction signed by a signing account managed by the AWS CloudHSM. Under no circumstances would Kaleido be able to retrieve the keys from the AWS Cloud, but instead uses the respective key handle and sends the payload to be signed to the cloud, which gets signed and returned.
AWS offers clustered HSMs as a service which is FIPS 140-2 Level 3 certified. The cluster is provisioned under your AWS account and will manage your signing keys inside the secure HSM devices.
The communication between the Kaleido CloudHSM service and AWS CloudHSM cluster is established with the help of a component called AWS CloudHSM Client which runs locally in the Kaleido CloudHSM service. This is responsible for maintaining secure end-to-end connection with the AWS CloudHSM(s). More information on the client daemon can be found in AWS's documentation.
AWS provides a software library implementing the "Cryptoki" API compliant with the PKCS #11 specification. The library is supported on Linux compatible OS's. This PKCS #11 interface is used by the Kaleido CloudHSM service to communicate with the CloudHSMs in AWS Cloud.