Skip to main content

AWS unveils highly secure cloud 'enclaves' for your most confidential data

security
(Image credit: Shutterstock)

AWS is giving customers an even more secure way to protect sensitive data in the cloud with a new EC2 instance type that has no external network connectivity, no persistent storage and no user access.

Customers in industries such as financial services, defense, media and entertainment and life sciences often process highly sensitive data on Amazon's cloud. However, when they do this, they need to protect against internal and external threats while dealing with complex situations involving multiple partners, vendors, customers and employees.

While customers currently use AWS VPC (virtual private cloud) to create isolated environments with controlled and limited connectivity, the company is giving them another option to store their sensitive data with the launch of AWS Nitro Enclaves.

AWS Nitro Enclaves

AWS Nitro Enclaves can be used to carve out an isolated environment on any EC2 instance powered by the Nitro System. 

While the company's Nitro System already isolates multiple EC2 instances running on the same hardware, Nitro Enclaves provide additional isolation through an independent kernel and by partitioning the CPU and memory of a single “parent” EC2 instance. The parent EC2 instance connects to the enclave over a virtual socket and this socket is the only way data can get in or out of a Nitro Enclave.

Chief evangelist for AWS Jeff Barr explained how these new secure enclaves utilize the “Nitro" hypervisor AWS introduced back in 2017 in a blog post, saying:

“The Nitro Hypervisor creates and then signs an attestation document as it creates each Nitro Enclave. The document contains (among other things), a set of Platform Configuration Registers (PCRs) that provide a cryptographically sound measurement of the boot process. These values, when attached to a KMS key policy, are used to verify that the expected image, OS, application, IAM role, and instance ID were used to create the enclave. After KMS has performed this verification step, it will perform the desired API action (decrypt, generate data key, or generate random value) requested by the code running in the enclave.”

Enclaves are now available on any EC2 instance that runs Nitro and while users can create one enclave from an EC2 instance, AWS also plans to support multiple enclaves in the future.

Via The Register