This Guidance demonstrates how you can use AWS Nitro Enclaves and AWS Secrets Manager for secure blockchain transaction signing. The flexibility of AWS Nitro Enclaves allows you to create enclaves for various types of blockchain operations. The additional isolation and security inherent in the enclaves help to reduce attack surface area for your applications. 

Architecture Diagram

Download the architecture diagram PDF 

Well-Architected Pillars

The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.

The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.

  • This Guidance provides a basic blueprint to help you implement AWS Nitro Enclave for blockchain key management. Design this into your workloads with AWS CDK, so you can customize and build the procedures needed to support your business objectives. 

    Read the Operational Excellence whitepaper 
  • For secure authentication and authorization, access is granted only to instances running in the same VPC as the AWS Nitro Enclaves. This is ensured by security groups that act as a virtual firewall for your Amazon EC2 instances to control incoming and outgoing traffic. 

    Separate VPCs are created within two private subnets. Amazon EC2 instances running inside the subnets can only access the internet through the Network Address Translation (NAT) gateways. No inbound access to Amazon EC2 instances is possible. Administrator access to the Amazon EC2 instances is established through Systems Manager. All traffic to AWS services, like AWS KMS, is routed through the interface VPC endpoints.

    Data, particularly sensitive private key material, is encrypted using AWS KMS. The ciphertext is stored in Secrets Manager. Cryptographic attestation is used to ensure that the ciphertext is decrypted from inside the AWS Nitro Enclave.

    Read the Security whitepaper 
  • By default, an auto scaling group deploys over two different subnets in different Availability Zones. One Amazon EC2 instance deploys in each subnet. A network load balancer (NLB) distributes the requests between both Amazon EC2 instances. The auto scaling group ensures that there are two active instances available at any time.

    The enclaves run stateless and all services are loosely coupled. Changes to the resources and configs can be applied and deployed through AWS CDK to minimize human error and help your environment adapt to changes. 

    Read the Reliability whitepaper 
  • The services in this Guidance provide a secure, flexible, and cost-effective alternative to the purpose-built blockchain key management solutions available on AWS right now. It is a blueprint of what an AWS Nitro Enclave blockchain key management solution could look like. You can adapt the critical parts (such as key management and signing) for your specific use.

    Read the Performance Efficiency whitepaper 
  • This Guidance avoids services and storage options with high monthly fix costs. For long-term operation, the Amazon EC2 instances can be part of an EC2 Instance Savings Plan. By default, the Guidance uses on-demand instances with the Amazon EC2 instance type as M5a.xlarge, the smallest instance currently supporting AWS Nitro Enclaves.

    By leveraging a Network Load Balancer that distributes the load between two different Amazon EC2 instances running in separate availability zones (AZs), this Guidance scales to continually meet demand. It ensures this scaling and high availability through the additional Amazon EC2 instances. Because the processes inside the AWS Nitro Enclaves are stateless, new Amazon EC2 instances can be added and removed according to the demand.

    Read the Cost Optimization whitepaper 
  • The auto scaling group in this Guidance ensures a minimum number of instances are running, and new instances are both launched and terminated based on changes to demand. 

    Read the Sustainability whitepaper 

Implementation Resources

A detailed guide is provided to experiment and use within your AWS account. Each stage of building the Guidance, including deployment, usage, and cleanup, is examined to prepare it for deployment.

The sample code is a starting point. It is industry validated, prescriptive but not definitive, and a peek under the hood to help you begin.

AWS Database

AWS Nitro Enclaves for secure blockchain key management: Part 1

This post demonstrates how AWS Nitro Enclaves offers flexible support for low-level blockchain operations such as scaling out key management in a secure fashion. 


The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.

Was this page helpful?