Encryption-in-transit for public sector workloads with AWS Nitro Enclaves and AWS Certificate Manager
Government, education, nonprofit, healthcare, and other public sector organizations process and store sensitive data including health records, tax data, personally identifiable information (PII), student data, criminal justice information, and financial data. These workloads carry stringent security and compliance requirements to protect the confidentiality, integrity, and availability of this data both in transit and at rest. Best practices for protection of data in transit include enforcing appropriately defined encryption requirements, authenticating network communications, and implementing secure key and certificate management systems.
In this post, I demonstrate a solution for deploying a highly available and fault tolerant web service with managed certificates and TLS termination performed on customer-managed EC2 Nitro instances using ACM for Nitro Enclaves.
TLS Termination with Elastic Load Balancing
Amazon Web Services (AWS) provides services that help you simplify the process of building and operating secure workloads and applications in the cloud. With Elastic Load Balancing (ELB) you can terminate HTTPS and TLS traffic from clients at your load balancer while AWS Certificate Manager (ACM) manages the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. In this architecture, the load balancer performs the work of encrypting and decrypting the traffic before forwarding it on to its destination. ELB can configure load balancers to forward traffic on to the target Amazon Elastic Compute Cloud (Amazon EC2) instances using HTTPS/TLS for encryption in transit.
Some workloads have specific security and compliance requirements that necessitate terminating directly on backend instances. ELB supports TLS termination at the application using Network Load Balancers and Classic Load Balancers with TCP passthrough. TCP passthrough relays requests to the target EC2 instances as-is. In the past, using TCP passthrough for HTTPS/TLS traffic meant that you needed to implement a system for managing the provisioning, storing, and renewing of SSL/TLS X.509 certificates. You cannot install your ACM-issued certificates directly on an arbitrary AWS-based website or application. ACM certificates can only be installed on an integrated service such as ELB, Amazon CloudFront, or Amazon API Gateway. With the release of AWS Nitro Enclaves and its ACM for Nitro Enclaves integration, you are able to install ACM certificates in your application instance’s enclave and use it to terminate HTTPS/TLS at your application.
AWS Nitro Enclaves is an Amazon EC2 capability that enables customers to create isolated compute environments (enclaves) to further protect and securely process highly sensitive data within their Amazon EC2 instances. Nitro Enclaves helps customers reduce the attack surface area for their most sensitive data processing applications.
Enclaves are separate virtual machines, hardened, and highly constrained. They have no persistent storage, no interactive access, and no external networking. So even if you are a root user or an admin user on the instance, you are not able to access or SSH into the enclave. Nitro Enclaves use the proven isolation of the Nitro Hypervisor to further isolate the CPU and memory of the enclave from users, applications, and libraries on the parent instance. The only way to communicate with the enclave is through the local vsock socket from the parent instance attached to the enclave. With this, you are able to isolate the processing of highly sensitive data within your Amazon EC2 instances from your own internal administrators, developers, and other Amazon EC2 instances.
Nitro Enclaves cryptographic attestation features allow you to verify the enclave’s identity and that only authorized code is running in your enclave. Nitro Enclaves is integrated with the AWS Key Management Service to prepare and protect your sensitive data for processing inside enclaves. Using AWS KMS condition keys for AWS Nitro Enclaves, you can limit the permissions for the kms:Decrypt, kms:GenerateDataKey, and kms:GenerateRandom operations based on the contents of a signed attestation document provided when calling these APIs with the AWS Nitro Enclaves SDK from an enclave.
AWS Certificate Manager for Nitro Enclaves
ACM for Nitro Enclaves allows you to use public and private SSL/TLS certificates with your web applications and web servers running on Amazon EC2 instances with AWS Nitro Enclaves.
Previously, when running a web server on an EC2 instance, you would have created SSL/TLS certificates and stored them as plaintext on your instance. With ACM for Nitro Enclaves, you can now associate AWS Certificate Manager certificates with an enclave and use those certificates directly with a web server. With ACM for Nitro Enclaves, your plaintext certificate private key remains isolated in the enclave, preventing the instance, and its users, from accessing it.
ACM for Nitro Enclaves uses the PKCS#11 cryptographic token interface standard over the Nitro Enclaves vsock socket to provide a mechanism for applications on a parent instance to perform cryptographic operations within a Nitro Enclave. Currently, ACM for Nitro Enclaves works with NGINX servers running on Amazon EC2 instances to install the certificate and seamlessly replace expiring certificates. Support for additional web servers are added over time.
NOTE: At this time, Apache HTTP server’s built-in support for PKCS#11 does not work with ACM for Nitro Enclaves.
You can get end-to-end encryption via ACM for Nitro Enclaves in your own AWS account using the automated ACM for Nitro Enclaves sample application. This sample automates the deployment of a web application hosted on an autoscaling group of EC2 instances behind a Network Load Balancer. Each EC2 instance is configured with a Nitro Enclave running the ACM for Nitro Enclaves application for TLS offload from a NGINX webserver via the vsock connection. The sample automatically provisions an ACM certificate for a specified hostname in a Route 53 Public Hosted Zone and configures that certificate with KMS permissions so it can be accessed in plaintext only from within the provisioned enclaves. Users send requests to the specified hostname and an NLB passes those requests through one of the EC2 instances. The EC2 hosts then decrypt those user requests via the webserver/enclave.
Deploying the solution
This solution deploys the following components:
- An Amazon VPC with two public subnets and two private subnets
- An Internet Gateway
- A NAT Gateway
- A Route53 A record
- A Network Access Control List
- A Security Group
- An ACM certificate for the provided domain
- A DNS validation record in Route53 for the certificate
- A sample EC2 Auto Scaling group with two instances using a Nitro Enclaves enabled sample Amazon Linux 2 AMI
- A Network Load Balancer that forwards TCP traffic to the Auto Scaling Group
- An IAM role for the EC2 instances to use to communicate S3, ACM, and KMS
- An AWS Lambda function that associates the EC2 instance profile role with the ACM certificate.
- An IAM role for Lambda function
Note: For simplest deployment, you can create an AWS Cloud9 environment; it already has the below requirements installed:
Note: You need a volume with additional free space to complete the sample deployment. I recommend 10-20GB of additional volume space.
Additionally, you require:
- Access to an AWS account with permissions to create the above resources
- An Amazon Route53 Public Hosted Zone ID
- The name of an available domain within that zone to use for deploying the solution and issuing a certificate with Amazon Certificate Manager
Note: Although the solution requires a Route 53 Public Hosted Zone ID, ACM for Nitro Enclaves supports ACM Certificates including validated public certificates as well as certificates signed by an ACM Private Certificate Authority.
To deploy the sample:
1. Clone the aws-nitro-enclaves-certificate-manager-sample repository to your local workstation or to your Cloud9 environment using the following command:
git clone https://github.com/aws-samples/aws-nitro-enclaves-certificate-manager-sample.git
2. Change directories to the root directory for this example solution using the following command:
3. Build the solution locally using the following command:
sam build --use-container
4. Deploy the sample using the SAM CLI guided deploy command. Replace each required user input placeholder with your own information.
Note: You can provide a custom value in place of a default. For example, the AWS Region argument can be set to an alternate region to change the region in which the sample resources are deployed. The SSMConfig argument can be set to true in order to enable configure your instance role for management through AWS Systems Manager Quick Setup.
Testing the solution
Once deployed the solution outputs a URL for the sample. After a few minutes, try visiting that URL. Once the solution has finished its initial configuration you are able to view the sample webpage over HTTPS secured by an ACM issued certificate stored in the enclave of each Amazon EC2 instance in the autoscaling group.
If you wish to manage the solution instances using AWS Systems Manager, pass the
SSMConfig=true argument override when deploying. You can use AWS Systems Manager Quick Setup to quickly configure commonly used Systems Manager capabilities on your Amazon EC2 instances including:
- A scheduled, bi-weekly update of SSM Agent.
- A scheduled collection of Inventory metadata every 30 minutes.
- A daily scan of your instances to identify missing patches.
- A one-time installation and configuration of the Amazon CloudWatch agent.
- A scheduled, monthly update of the CloudWatch agent.
Systems Manager can also be used to establish a console session on the EC2 instances in the solution’s private subnets. To use SSM Quick Setup, specify the EC2 instance role created by this solution as the SSM Quick Setup instance profile role. For your SSM Quick Setup target, specify instance tags and enter the
aws:autoscaling:groupName key/value pair in the solution stack output.
Once you’re done, you can delete the solution going to the AWS CloudFormation console and deleting the nitro-enclave-acm stack. Don’t forget to delete the following artifacts too:
- Delete the CloudWatch log group for the Lambda function.
- Consider deleting the Amazon S3 bucket used to store the packaged Lambda artifact if you created it on purpose to deploy this solution
In this blog post, I discussed Nitro Enclaves and a sample solution for public sector customers to automate the deployment of an architecture, which provides a highly available web site featuring TLS termination on EC2 with Nitro Enclaves and ACM. To learn more about the open source solution, visit the ACM for Nitro Enclaves Sample solution repository. To learn more Nitro Enclaves, please visit the Nitro Enclaves User Guide and to learn more about ACM, please visit the ACM User Guide.
Check out more resources, tips and tricks, tutorials, and news on the cloud for the public sector. If you have a question or comment, please post in the comments section below and let us know what you think or contact us.