Nitro Enclaves are a new feature of AWS’s Nitro Hypervisor that manages EC2 instances. It allows you to provision a separate, isolated environment used for processing highly secure, often encrypted data.
Data Processing in an Isolated Environment
Nitro Enclaves is a new capability of EC2. Each Enclave needs an EC2 instance as its parent; you can think of it like an attachment, like an EBS drive, or accelerator card.
These Nitro Enclaves are actually incredibly secure. They’re entirely isolated—nobody, not even you, the owner, or the administrator can access them or any processes running on them directly over SSH. They have no external networking; only the parent can talk to the enclave, and only over local network sockets. This means that the parent server can be configured to handle encrypted data without it ever entering the scope of that server.
It works like this: a request comes in to the parent instance that needs to handle some sensitive data. Rather than processing it locally, it’s sent to the Enclave. While technically separate, you can think of it like being a special protected part of the parent server. The enclave can fetch a decryption key from AWS’s Key Management Service, decrypt the data, and send a response after processing.
An enclave is created by “partitioning the CPU and memory of an EC2 instance.” If you have a 16 core 64 GB machine, you can dedicate 4 cores and 32 GB to the enclave, for example.
Despite this, the Nitro Hypervisor puts the same restrictions on CPU and memory access in place between a parent instance and an enclave as it does between your instance and someone else’s on the same host. The only thing connecting the two is a local vsock connection.
The integration with AWS’s Key Management Service is very useful here. KMS can be used to track, rotate, and manage access to sensitive decryption keys. This integration uses “cryptographic attestation,” which means that the Nitro Hypervisor produces a signed attestation document for the enclave to prove its identity to KMS. This includes a hash of the image file, an image file signing certificate, a hash of the Linux kernel, IAM roles on the parent, and the ID of the parent. All must match the configuration, or the request to KMS will not go through. If you’re interested, there’s an example tool that Nitro ships with that demonstrates the cryptographic attestation process.
How To Use Nitro Enclaves
To use them, you’ll need to launch an instance with the setting enabled:
After that, you’ll probably need to set up the KMS attestation to use it with KMS securely.