In the simplest case, you get a USB device with your certificate purchase, and you plug it into the computer that needs to do signing and configure the vendor software that provides access to the certificates. If it's a cloud hosted machine you can setup a VPN connection to an network where the physical machine is located, and script your signing process to sign on the remote machine. There's a little more to it than that, but code signing is still pretty easy to do. You don't necessarily need your own HSM

@@DX7Dev Thanks David, But How we can actually store and retrieve the purchased code signing certificate in the AWS HSM and I'm only able to see an options of siging a file only by using key pair that we generated in the HSM itself.