Posted On: Oct 28, 2020

AWS Nitro Enclaves is a new EC2 capability that enables customers to create isolated compute environments (enclaves) to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves helps customers reduce the attack surface area for their most sensitive data processing applications.

Today, customers already use Amazon EC2 to process a wide range of highly sensitive data. They protect this data with access controls, and with encryption, both at rest and in transit. However, during processing, the highly sensitive data is decrypted. To protect data during processing, customers often set up separate VPCs, remove unnecessary 3rd party software on their instance, limit connectivity, restrict user access, and more. Creating and managing these isolated fleets may require significant operational resources and can also be complex. We wanted to make this easier for our customers.

Enclaves are separate virtual machines, hardened, and highly constrained. They have no persistent storage, no interactive access, and no external networking. So even if you are a root user or an admin user on the instance, you will not be able to access or SSH into the enclave. Nitro Enclaves uses the proven isolation of the Nitro Hypervisor to further isolate the CPU and memory of the enclave from users, applications, and libraries on the parent instance. The only way to communicate with the enclave is through the local socket from the parent instance attached to the enclave. With this, you are able to isolate the processing of highly sensitive data within your EC2 instances from your own internal administrators, developers, and other EC2 instances.  

Nitro Enclaves attestation allows you to verify the enclave’s identity and that only authorized code is running in your enclave. Nitro Enclaves is integrated with the AWS Key Management Service to prepare and protect your sensitive data for processing inside enclaves. Enclaves can also be integrated with other Key Management Services. 

Nitro Enclaves is flexible and can be created with varying amounts of compute resources, and is compatible with any programming language or framework. Nitro Enclaves is also processor agnostic and is available on the majority of Intel and AMD-based Amazon EC2 instance types built on the AWS Nitro System. AWS Graviton2-based instance support is coming soon. Finally, because many components of Nitro Enclaves are open sourced, customer can even inspect the code and validate it themselves. 

ACM for Nitro Enclaves is a reference enclave application that allows you to use public and private SSL/TLS certificates from AWS Certificate Manager (ACM) with your web applications and servers such as NGINX running on Amazon EC2 instances with Nitro Enclaves.  

There is no additional cost other than the cost for the using Amazon EC2 instances and any other AWS services that are used with Nitro Enclaves and with ACM for Nitro Enclaves. Nitro Enclaves is available today in the AWS US East (N. Virginia, Ohio), US West (Oregon), Europe (Frankfurt, Ireland, London, Paris, Stockholm), Asia Pacific (Hong Kong, Mumbai, Singapore, Sydney, Tokyo), and South America (Sao Paulo) regions, with more regions coming soon. 

To learn more about AWS Nitro Enclaves and how to get started, visit the AWS Nitro Enclaves page