AWS Nitro Enclaves Reduces Attack Surfaces for Data Processing

BY:

Mar 10, 2021

Here’s how you can use AWS Nitro Enclaves to protect highly sensitive data within EC2 instances

Key Takeaways:

  • AWS Nitro Enclaves is an Amazon EC2 feature designed to help organizations protect sensitive data in EC2 instances. 
  • Nitro Enclaves uses proven isolation technology to create “enclaves” where critical data can be secured and managed. 
  • Organizations in government, healthcare, and other highly regulated industries can use Nitro Enclaves to create isolated compute environments and reduce their attack surfaces.
  • By partnering with CloudHesive, organizations can leverage Nitro Enclaves and other solutions to improve their cloud security posture. 

Amazon EC2 helps organizations maintain complete control of their cloud computing resources with good security infrastructure. However, if you leverage Amazon EC2 instances to manage personally identifiable information (PII) or other highly sensitive data, you may need to go further to secure these instances to the standards demanded for such data. That’s where AWS Nitro Enclaves comes in

With AWS Nitro Enclaves, you can create isolated execution environments (“enclaves”) from EC2 instances. Enclaves enable you to reduce the attack surface area for sensitive data processing applications and further secure sensitive information. 

What is Nitro Enclaves? 

Nitro Enclaves is an EC2 feature that provides enclaves, which serve as isolated, hardened, and highly constrained environments where you can host security-critical applications. It is built on the same Nitro Hypervisor technology that delivers CPU and memory isolation for EC2 instances. 

The Nitro Hypervisor lets you isolate the CPU and memory of an enclave from users, applications, and libraries on a parent instance. This technology ensures that a parent instance has no access to isolated vCPUs and memory in an enclave, which reduced the attack surface that bad actors can access during a hack.

How do enclaves work? 

An enclave runs on independent kernels and provides secure local socket connectivity with a parent instance. Data and applications stored in an enclave cannot be accessed by processes, applications, or users (root or admin) associated with a parent instance. Enclaves have no persistent storage, interactive access, or external networking. Users cannot SSH into an enclave, either. 

Enclaves are developed by partitioning memory and vCPUs from parent instances, which allocate used CPU cores and memory. A parent instance is the only instance capable of communicating with and allocating resources to an enclave. The instance continues to provide resources to the enclave for the duration of its lifetime. 

Why do organizations use Nitro Enclaves?

There are a number of use cases for organizations to deploy Nitro Enclaves depending on the needs of that instance, but these are the three most common drivers:

1. Security

Nitro Enclaves uses an attestation process in which a signed attestation document for an enclave is required to verify its identity to another party or service. Attestation documents include the enclave’s public key, enclave image hashes, and other enclave details. They allow you to verify an enclave’s identity and ensure that only authorized code is running in it. 

Furthermore, Nitro Enclaves offers AWS Key Management Service (KMS) and AWS Certificate Manager (ACM) integrations. The KMS integration lets KMS read and verify that Nitro Enclaves attestation documents have been sent from an enclave. Meanwhile, the ACM integration lets you connect a certificate to an enclave and use it directly with your web server without exposing a plaintext version of the certificate to a parent instance and its users.

2. Flexibility

With Nitro Enclaves, you have full control over the memory and processing power allocated to an isolated environment. Nitro Enclaves lets you create enclaves with varying combinations of CPU cores and memory. You can also ensure that you have sufficient resources to run identical memory or compute-intensive applications to those already running on your existing EC2 instances.

In addition, Nitro Enclaves can be used across EC2 instances supported by myriad CPU vendors and is compatible with all programming languages and frameworks. Many Nitro Enclaves components are open-sourced, too.

3. Cost

Nitro Enclaves is available at no additional charge. If you use Nitro Enclaves, you are only billed the standard charges for your EC2 instance and any associated AWS services you use.  

How to create and use enclaves

With Nitro Enclaves, you must meet the following requirements for parent instances and enclaves:

  • Parent instance requirements:
    • Virtualized Nitro-based instances with at least four vCPUs (exceptions are t3, t3a, t4g, a1, c6g, c6gd, m6g, m6gd, r6g, and r6gd) 
    • Linux operating system
  • Enclave requirements:
    • Linux operating system

To create an enclave, you must use an EC2 instance running an AMI that includes the Nitro CLI. Together, these tools will run on the instance that hosts the enclave. 

The instance you use for your enclave must be booted with the “enclave-enabled” option. Docker images can be used for Enclave images (*.eif). 

Next, you’ll need to build your EIF. PCRs let you verify that the expected image, kernel, and application are running properly in your enclave. 

In the final stage, you can launch your enclave, view it, and check its console output (in debug mode). When you are done with your enclave, you can terminate it. 

Key considerations when using Nitro Enclaves

Keep the following factors in mind when you use Nitro Enclaves:

  • Only one enclave can be used per parent instance: Nitro Enclaves currently supports the creation of one enclave per EC2 instance with support for multiple enclaves promised for the future. 
  • An enclave remains active only if a parent instance is running: If a parent instance is stopped or terminated, the enclave associated with it is terminated. 
  • Hibernation cannot be enabled: You cannot run hibernation and an enclave on the same EC2 instance.   

Getting started with Nitro Enclaves can be challenging, but help is available. Working with an Amazon Managed Service Partner like CloudHesive takes the guesswork out of Nitro Enclaves and helps you maximize the security and performance of your EC2 instances. 

CloudHesive offers comprehensive cloud services and support to organizations in government, healthcare, and other highly regulated industries. We can help you use Nitro Enclaves to protect sensitive data across your organization’s EC2 instances, and we offer personalized cloud security tips and recommendations. 

We are happy to teach you about Nitro Enclaves and other solutions you can use to secure your EC2 instances. Contact us today to learn more about how we can help you optimize your cloud security posture.

Related Blogs

  • By connecting customer data across your organization, Wisdom allows agents to provide the best in customer service." alt="">
    An In-Depth Look at Amazon Connect Wisdom

    Amazon Connect Wisdom brings disparate data together to quickly provide the information your service agents need Key Takeaways: Consumers expect speedy and personalized customer service Wisdom uses...

    Learn More
  • Amazon Connect makes it simple to set up remote contact center agents." alt="">
    Set Up Remote Contact Center Agents Quickly with Amazon Connect

    Here’s how to set up a fully operational contact center that can be accessed from nearly anywhere. Key Takeaways: Amazon Connect lets your business set up a contact center that agents can...

    Learn More
  • When a specified alarm state is reached, the system automatically creates an OpsItem in OpsCenter." alt="">
    Create an Automatic OpsItem When CloudWatch Alarm Enters an Alarm State

    Auto-generated OpsItems give detailed information about the alarm for swift remediation. Key Takeaways: The auto-generated OpsItem offers aggregated information that makes alarm investigation easy...

    Learn More