AWS Nitro Enclaves

Create additional isolation to further protect highly sensitive data within EC2 instances

AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.

Nitro Enclaves helps customers reduce the attack surface area for their most sensitive data processing applications. Enclaves offers an isolated, hardened, and highly constrained environment to host security-critical applications. Nitro Enclaves includes cryptographic attestation for your software, so that you can be sure that only authorized code is running, as well as integration with the AWS Key Management Service, so that only your enclaves can access sensitive material.

There are no additional charges for using AWS Nitro Enclaves other than the use of Amazon EC2 instances and any other AWS services that are used with Nitro Enclaves.

Introducing Nitro Enclaves
AWS Nitro Enclaves Overview
Protect sensitive data in use with AWS confidential computing


Additional isolation and security

Enclaves are fully isolated virtual machines, hardened, and highly constrained. They have no persistent storage, no interactive access, and no external networking. Communication between your instance and your enclave is done using a secure local channel. Even a root user or an admin user on the instance will not be able to access or SSH into the enclave.

Nitro Enclaves uses the proven isolation of the Nitro Hypervisor to further isolate the CPU and memory of the enclave from users, applications, and libraries on the parent instance. These features help isolate the enclave and your software, and significantly reduce the attack surface area.

Cryptographic attestation

Attestation allows you to verify the enclave’s identity and that only authorized code is running in your enclave. The attestation process is accomplished through the Nitro Hypervisor, which produces a signed attestation document for the enclave to prove its identity to another party or service. Attestation documents contain key details of the enclave such as the enclave's public key, hashes of the enclave image and applications, and more. Nitro Enclaves includes AWS KMS integration, where KMS is able to read and verify these attestation documents that is sent from the enclave.


Nitro Enclaves are flexible. You can create enclaves with varying combinations of CPU cores and memory. This ensures you have sufficient resources to run the same memory or compute intensive applications that you were already running on your existing EC2 instances. Nitro Enclaves are processor agnostic, and can be used across instances powered by different CPU vendors. They are also compatible with any programming language or framework. Furthermore, because many components of Nitro Enclaves are open sourced, customer can even inspect the code and validate it themselves.

How it works

Nitro Enclaves How it Works

Figure 1: Nitro Enclaves How It Works Process Flow

Figure 2: Nitro Enclaves uses the same Nitro Hypervisor technology that creates the CPU and memory isolation among EC2 instances, to create the isolation between an Enclave and an EC2 instance.

Figure 3: An enclave is created by partitioning the CPU and memory of an EC2 instance, called a parent instance. You can create enclaves with varying combinations of CPU cores and memory. Above is an example using m5.4xlarge split into a parent instance (14 vCPU, 32 GiB Memory) and Enclave (2 vCPU, 32 GiB Memory). Communication between the parent instance and the enclave is done via a secure local connection called vsock.

Use cases

Securing Private Keys

Customers can now isolate and use private keys (e.g. SSL/TLS) in an enclave, while preventing users, applications, and libraries on the parent instance from viewing those keys. Normally, these private keys are stored on the EC2 instance in plain text.

AWS Certificate Manager (ACM) for Nitro Enclaves is an enclave application that allows you to use public and private SSL/TLS certificates with your web applications and servers running on Amazon EC2 instances with AWS Nitro Enclaves.


Tokenization is a process that converts highly sensitive data such as credit card numbers or health care data into a token. With Nitro Enclaves, customers can run the application that does this conversion inside an enclave. Encrypted data can be sent to the enclave, where it is decrypted and then processed. The parent EC2 instance will not be able to view or access the sensitive data throughout this process.

Multi-party computation

Using the cryptographic attestation capability of Nitro Enclaves, customers can set up multi-party computation, where several parties can join and process highly sensitive data without having to disclose or share the actual data to each individual party. Multi-party computation can also be done within the same organization to establish separation of duties.

Customer stories