AWS announced the availability of the new Nitro Enclaves. They can be used to create isolated environments on the EC2 instances running on the Nitro system platform. While the Nitro System already isolates multiple EC2 instances running on the same hardware, the Nitro Enclaves provide additional isolation by partitioning the CPU and memory of a single “parent” EC2 instance. This protects highly sensitive data from other users or applications running on the same instance.

AWS comes from industries such as financial services, Oppose life sciences, media, and defense that run highly sensitive data in the AWS cloud. It is important to protect these from internal and external threats. Previously, such customers used Amazon VPC to create isolated environments that only selected users can access.

Independent First, AWS provides the option for one enclave per EC2 instance, with more to follow. Under the hood are enclaves attached to EC2 instances. They are not connected via external networks; the data transfer takes place via a local virtual socket connection (vsock) that ends on the EC2 instance. Each enclave operates an independent kernel and has exclusive access to memory and CPU resources.

The Nitro Hypervisor generates a signed certificate containing Platform Configuration Registers (PCRs) for each enclave created. These enable a cryptographically secured boot process. If the values ​​are linked to a KMS key policy, the software checks whether all expected components – image, operating system, IAM role, instance ID, application – are in use. KMS then performs the API action that the code executed in the enclave requested.

Nitro Enclaves are now available to users on systems with Intel and AMD processors in several regions of the USA, Asia, Europe, Australia and South America available. Instructions for using Nitro Enclaves can be found on the AWS News Blog. The Nitro system was introduced by the provider 2018.

(nb)