Developing a Secure Digital Asset Framework Using AWS Nitro Enclaves with Itaú

Itaú has more than 70 million customers worldwide and, according to S&P Global, it is one of the largest banking institutions in Brazil and Latin America overall. Itaú offers a range of banking services and products, including private banking, corporate accounts, and investments. To meet the demands of Brazilian customers, the bank formed Itaú Digital Assets in 2022. This new division is responsible for transforming financial assets into digital representations, known as tokens.

To support these new services, Itaú needed a digital asset framework. This comprehensive digital infrastructure provides the foundation for components such as security and governance policies, compliance protocols, and public services to facilitate cryptocurrency transactions. To verify that the framework met its internal security requirements, the bank needed to build the solution in-house.

This project would involve managing blockchain infrastructure, implementing robust data encryption, and protecting sensitive operations such as key generation, storage, and transaction signing—all while complying with traditional banking regulations. To streamline development, the bank turned to AWS.

“Working on AWS is like a plug-and-play experience,” says Fillipe Augusto Gomes Guerra, domain expert and technical lead of blockchain and innovation at Itaú. “It’s as simple as selecting the services you need, configuring them, and deploying your application. In contrast, with legacy systems, you need to plan the solution, request the necessary resources, wait for their delivery, and then implement the solution. On AWS, we can design and deploy solutions straightaway.”

In September 2022, Itaú began to work alongside the AWS team to develop the digital asset framework. The bank used AWS Nitro Enclaves, which lets organizations create isolated compute environments to protect and process highly sensitive data, and Amazon Managed Blockchain, a fully managed service that developers use to build resilient Web3 applications. The development process involved extensive consultation with AWS experts. This collaboration accelerated the development of the digital asset framework by months; the solution went live in October 2023.

“We worked closely and regularly alongside the AWS team to design this solution, discussing how to protect sensitive information and connect to public blockchains,” says Marcio Pinheiro Neris, IT manager at Itaú. “We also had weekly meetings to discuss how to benefit from AWS services and how the specialized teams of Amazon Managed Blockchain and AWS Nitro Enclaves could support us.”

The resulting framework consists of five layers: security, compliance, governance, audit, and services. Itaú’s customers prioritize strong security and set high expectations for the bank. Using AWS Nitro Enclaves, Itaú managed to address these concerns and protect customer assets from external access. The bank could handle sensitive operations, such as signing transactions securely and protecting customer keys, without exposing sensitive information.

Itaú used Amazon Managed Blockchain (AMB) Query—which provides serverless access to standardized, multiple blockchain datasets—to facilitate compliance with audit requirements and support robust governance practices. Thus, the bank can retrieve indexed blockchain data through simple API calls and access critical information, such as account balances and transaction history. As a result, Itaú can quickly retrieve records and still comply with Brazilian financial regulations.

To help simplify the operational aspects of blockchain management, the bank also used Amazon Managed Blockchain (AMB) Access, which provides public blockchains nodes for Ethereum, Polygon (Preview), and Bitcoin. Thus, Itaú no longer needs to manage blockchain infrastructure in-house, reducing costs, risks, and operational efforts.

Itaú’s digital asset framework is highly scalable and can support millions of customers, providing a reliable experience even during peak traffic. With the enhanced security and reliability provided by the in-house solution, Itaú’s Treasury Department uses the framework for cryptocurrency trading. The department felt so comfortable with the framework that it has increased its cryptocurrency trading volume by four times compared with third-party solutions.

Using AWS, Itaú now provides access to cryptocurrency distribution for more than 70 million banking customers and has unlocked new capabilities to enhance its digital asset offerings. As an institutional bank, for example, Itaú faces cybersecurity challenges when running full nodes in its own infrastructure. Using Amazon Managed Blockchain and its features, the bank can now interconnect, sign transactions, and perform operations without running these full nodes. This has empowered Itaú to scale, deploy, and run its solutions while maintaining compliance with its governance and cybersecurity standards.

Itaú plans to use AWS as a springboard to expand its digital asset offerings in the future. “Modernizing our applications and migrating our infrastructure to AWS significantly changed our technology, processes, and overall perspective,” says Gustavo Abrell, crypto custody product lead at Itaú. “We no longer view ourselves as just a fintech or financial services provider, but rather as a big technology company. This shift in mindset has been a game changer for us.”