AWS Nitro Enclaves are isolated compute environments that provide additional security for highly sensitive data processing workloads. Nitro Enclaves are based on Nitro System, a combination of dedicated hardware and lightweight hypervisor, that isolates and protects resources like CPU, memory, and storage from the underlying infrastructure and other workloads.
Nitro Enclaves allow customers to securely process highly sensitive data without exposing the data to the underlying host, reducing the risk of data exfiltration and enabling compliance with strict security requirements.
Nitro Enclaves can run applications that require a secure and isolated environment, such as cryptographic key generation and storage, data processing in financial services, and code signing. Nitro Enclaves are integrated with AWS Key Management Service (KMS), AWS Secrets Manager, and other AWS services to help customers build secure and compliant applications.
Customers can use AWS Nitro Enclaves through the AWS Nitro Enclaves CLI, the Nitro Enclaves SDK, or with third-party software vendors who have integrated Nitro Enclaves into their products.
- Create a Nitro Enclave image: Before you can run an application in a Nitro Enclave, you first need to create a Nitro Enclave image. This involves building a custom Linux kernel with support for the Nitro Enclave, as well as any necessary drivers and software. Once you have built the kernel, you can use the Nitro CLI to create a Nitro Enclave image. You can either build the image from scratch, or start with an existing Linux distribution and customize it as needed.
- Launch a Nitro Enclave instance: Once you have a Nitro Enclave image, you can launch a Nitro Enclave instance using the AWS Management Console, AWS CLI, or AWS SDK. When launching the instance, you'll need to specify the Nitro Enclave image ID, as well as the size and networking configuration of the instance. You can also specify the IAM role that the instance should assume, which determines the permissions that the instance has to AWS resources.
- Configure the Nitro Enclave: Once the Nitro Enclave instance is running, you'll need to configure it to run your application. This may involve installing software dependencies, setting up network connections, and configuring security settings. You can do this by logging into the Nitro Enclave instance using SSH or the Nitro CLI, and then executing commands to configure the system.
- Build and deploy your application: With the Nitro Enclave configured, you can now build and deploy your application. This may involve compiling your application code into an executable, setting up environment variables and configuration files, and configuring any necessary security settings. Once you have prepared your application, you can deploy it to the Nitro Enclave by copying it to the instance using SSH or the Nitro CLI.
- Run your application: With your application deployed to the Nitro Enclave, you can now run it. This may involve executing the application from the command line, or configuring it to run as a service that starts automatically when the Nitro Enclave boots up. You can monitor the status of your application by viewing its logs or using system monitoring tools.
- Clean up: When you are finished running your application in the Nitro Enclave, you should clean up any resources that you created. This may involve terminating the Nitro Enclave instance, deleting any security groups or IAM roles that you created, and deleting any data that was stored on the instance.
KMS within a Nitro Enclave, you can ensure that cryptographic keys remain protected from the underlying infrastructure, reducing the risk of exposure and enabling compliance with strict security requirements