Does AWS do internal logging for user access information for AWS services?

All of these services are integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service . CloudTrail captures a subset of API calls for particular service or actions as events, including calls from the console and code calls to the APIs. There is also a good blog which shows how to notify on changes to CloudTrail and re-enable logging whenever logging is disabled.

References :

1. Logging Amazon S3 API calls using AWS CloudTrail - https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging.html
2. Logging and monitoring in Amazon Route 53 - https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-monitoring.html
3. Logging API calls with AWS CloudTrail - https://docs.aws.amazon.com/waf/latest/developerguide/logging-using-cloudtrail.html
4. Using AWS CloudTrail to capture requests sent to the CloudFront API - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/logging_using_cloudtrail.html
5. Monitor Changes and Auto-Enable Logging in AWS CloudTrail - https://aws.amazon.com/blogs/mt/monitor-changes-and-auto-enable-logging-in-aws-cloudtrail/

You can use Cloud HSM directly without KMS and KMS custom key store. AWS Cloud HSM provides two ways how clients can connect to it.

1. Command line utilities : https://docs.aws.amazon.com/cloudhsm/latest/userguide/command-line-tools.html
2. Programmatic access: https://docs.aws.amazon.com/cloudhsm/latest/userguide/use-hsm.html

These both ways, user can directly integrate with Cloud HSM without any interaction with any of other AWS services. As far as IAM concerns, AWS Cloud HSM access does not fall under IAM.