AWS Nitro Enclaves

Create additional isolation to further protect highly sensitive data within EC2 instances

AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.

Nitro Enclaves helps customers reduce the attack surface area for their most sensitive data processing applications. Enclaves offers an isolated, hardened, and highly constrained environment to host security-critical applications. Nitro Enclaves includes cryptographic attestation for your software, so that you can be sure that only authorized code is running, as well as integration with the AWS Key Management Service, so that only your enclaves can access sensitive material.

Enclaves are virtual machines attached to EC2 instances that come with no persistent storage, no administrator or operator access, and only secure local connectivity to your EC2 instance.

Nitro_Enclaves_Icon

Benefits

Additional isolation and security

Enclaves are fully isolated virtual machines that have no persistent storage, have no operator or administrator access, and have only secure local connectivity. Communication between your instance and your enclave is done using a secure local channel. These features help isolate the enclave and your software, and significantly reduce the attack surface area.

Cryptographic attestation

Attestation allows you to verify that only authorized code is running in your enclave, and to verify the enclave's identity. The attestation process is accomplished through the Nitro Hypervisor, which produces a signed attestation document for the enclave to prove its identity to another party or service. Attestation documents contain key details of the enclave such as the enclave's public key, hashes of the enclave image and applications, and more. Nitro Enclaves includes AWS KMS integration, where KMS is able to read and verify these attestation documents that is sent from the enclave.

Flexible resource allocation

You can create enclaves with varying combinations of CPU cores and memory. This ensures you have sufficient resources to run the same memory or compute intensive applications that you were already running on your existing EC2 instances.

How it works

Diagram_Nitro-Enclaves (1)

Figure 1: Nitro Enclaves uses the same Nitro Hypervisor technology that creates the CPU and memory isolation among EC2 instances, to create the isolation between an Enclave and an EC2 instance.