Security

Confidential Data Processing with AWS Nitro Enclaves - Encryption and Attestation in an Isolated Environment

Learn how to process sensitive data in the isolated environment of Nitro Enclaves, and control encryption key access through KMS integration and attestation.

約 3 分で読めます

Overview of Nitro Enclaves

Nitro Enclaves is a service that creates an isolated processing environment (enclave) within an EC2 instance. The enclave has dedicated CPU cores and memory, completely isolated from the host OS, other processes, and even administrators. It has no persistent storage or network interfaces, communicating with the host only through vsock.

KMS Integration and Attestation

At startup, the enclave generates a cryptographic attestation document (PCR values). The KMS condition key kms:RecipientAttestation:PCR0 verifies the enclave's image hash, providing decryption keys only to legitimate enclaves. For PII processing, encrypted personal information is sent to the enclave, where it retrieves the key from KMS, decrypts and processes the data, and returns only the results to the host. Plaintext PII is never exposed to the host OS.

Use Cases and Development

The primary use cases for Nitro Enclaves include PII processing (tokenization, encryption), secure use of encryption keys, multi-party computation, and DRM license verification. By decrypting and processing PII within the enclave and returning only results to the parent instance, no plaintext PII remains in the parent instance's memory or disk. Development uses the Nitro CLI to build enclave image files (EIF), following a workflow similar to Docker containers. Communication between the parent instance and enclave uses vsock (virtual socket), with the application defining the communication protocol. For those who want to systematically learn about confidential computing, related books (Amazon) can also be helpful.

Nitro Enclaves Pricing

Nitro Enclaves itself incurs no additional charges. The cost comes from splitting vCPU and memory from the parent instance to allocate to the enclave, so you need to appropriately size the parent instance. If you allocate 2 vCPUs and 4 GB of memory to the enclave, the parent instance's available resources are reduced accordingly. KMS requests with attestation are charged at the standard KMS rate (approximately $0.03 per 10,000 requests). Nitro Enclaves is available on Nitro-based instances (C5, M5, R5 and later).

Summary

Nitro Enclaves is a service for securely processing sensitive data in a completely isolated environment. KMS attestation ensures that only legitimate enclaves can access encryption keys, enabling PII tokenization and secure use of cryptographic keys. The enclave has dedicated CPU and memory, providing complete isolation that is inaccessible even from the parent instance.

Related Services

AWS Nitro EnclavesA service that creates isolated execution environments within EC2 instances for securely processing sensitive dataAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAmazon EC2A compute service that provides virtual servers in the cloud

Related Articles

Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Amazon EBS Encryption and Snapshot Sharing - Cross-Account and Cross-Region DesignA comprehensive guide covering default encryption setup, cross-account snapshot sharing, and cross-region copy for DR design.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.How the Nitro System Transformed EC2 - From Xen to KVM, Eliminating Virtualization OverheadLearn about the technical background behind EC2's migration from the Xen hypervisor to the Nitro System, the three-layer architecture of Nitro Cards, Nitro Hypervisor, and Nitro Enclaves, and the design philosophy that achieved bare-metal-level performance.AWS Nitro System Hardware Innovation - How Custom Chips Redefined Virtualization and SecurityThis article explains the design philosophy behind the AWS-developed Nitro System, analyzing how the elimination of virtualization overhead, hardware-level security isolation, and bare-metal performance create competitive advantages unavailable from other providers.