AWS Nitro Enclaves のアイコン

AWS Nitro Enclaves Specialized2020年〜

A service that creates isolated execution environments within EC2 instances for securely processing sensitive data

About 2 min read

What It Does

AWS Nitro Enclaves is a service that creates fully isolated virtual machines (enclaves) within EC2 instances. Enclaves have no persistent storage, no network access, and no interactive access - communication with the parent instance is restricted to vsock (virtual socket) only. Integration with KMS enables encryption that can only be decrypted within the enclave.

Use Cases

Used for processing personally identifiable information (PII), secure management of encryption keys, processing financial transaction data, analyzing medical data, and multi-party computation.

Everyday Analogy

Think of it like a bank vault. The vault (enclave) is completely sealed off from external access, and the work inside (data processing) is invisible from outside. Entry and exit (vsock) is through a single strictly controlled passage only.

What Are Nitro Enclaves?

AWS Nitro Enclaves is a service that enables confidential computing. An enclave is created by isolating a portion of the parent EC2 instance's CPU and memory, and no one - including AWS administrators - can access the data inside the enclave. Cryptographic attestation verifies that the enclave has not been tampered with.

KMS Integration and Attestation

By specifying enclave PCR (Platform Configuration Register) values as conditions in KMS key policies, decryption is only permitted for specific enclave images. This ensures encrypted data is decrypted and processed only within the enclave, inaccessible to the parent instance or other processes. Attestation documents cryptographically verify the enclave's integrity. To broaden your knowledge of KMS integration and attestation, related books (Amazon) can also be useful.

Getting Started

Launch a Nitro Enclaves-enabled EC2 instance (enable enclaves at launch time) and build an enclave image (EIF) using the Nitro CLI. Start the EIF as an enclave and send/receive data from the parent instance via vsock.

Things to Watch Out For

  • No additional charges for Nitro Enclaves itself. CPU and memory allocated to the enclave are deducted from the parent instance
  • Enclaves have no network access, so external API calls must be made through the parent instance
共有するXB!

Related Services

Amazon EC2 iconAmazon EC2A compute service that provides virtual servers in the cloudAWS KMS iconAWS KMSA managed encryption key service for securely creating and managing keys used to encrypt dataAWS Certificate Manager iconAWS Certificate ManagerA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Lambda iconAWS LambdaA serverless compute service that runs code without server management

Related Articles

AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.AWS Nitro System Hardware Innovation - How Custom Chips Redefined Virtualization and SecurityThis article explains the design philosophy behind the AWS-developed Nitro System, analyzing how the elimination of virtualization overhead, hardware-level security isolation, and bare-metal performance create competitive advantages unavailable from other providers.Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Confidential Data Processing with AWS Nitro Enclaves - Encryption and Attestation in an Isolated EnvironmentLearn how to process sensitive data in the isolated environment of Nitro Enclaves, and control encryption key access through KMS integration and attestation.How the Nitro System Transformed EC2 - From Xen to KVM, Eliminating Virtualization OverheadLearn about the technical background behind EC2's migration from the Xen hypervisor to the Nitro System, the three-layer architecture of Nitro Cards, Nitro Hypervisor, and Nitro Enclaves, and the design philosophy that achieved bare-metal-level performance.

More in This Category

AWS Auto Scaling iconAWS Auto Scaling EssentialA service that automatically scales EC2, ECS, DynamoDB, and other resources based on demandAWS Batch iconAWS Batch SpecializedA managed service for efficiently scheduling and running batch computing jobsAmazon EC2 iconAmazon EC2 EssentialA compute service that provides virtual servers in the cloudAmazon EC2 Instance Connect iconAmazon EC2 Instance Connect SpecializedA service for securely connecting to EC2 instances without pre-distributing SSH keysAWS Elastic Beanstalk iconAWS Elastic Beanstalk PopularA service that automates application deployment and operations just by uploading your codeAmazon EVS iconAmazon EVS NewA fully managed service for running VMware vSphere environments on AWSEC2 Image Builder iconEC2 Image Builder SpecializedA service that automates the creation, testing, and distribution of custom AMIsAWS Lambda iconAWS Lambda EssentialA serverless compute service that runs code without server management

Similar Articles and Services

Confidential Computing - Isolating and Protecting Data in Use with AWS Nitro EnclavesLearn about isolated processing of sensitive data using AWS Nitro Enclaves. Covers cryptographic attestation, KMS integration, and use cases for PII processing and encryption key management.Confidential Data Processing with AWS Nitro Enclaves - Encryption and Attestation in an Isolated EnvironmentLearn how to process sensitive data in the isolated environment of Nitro Enclaves, and control encryption key access through KMS integration and attestation.AWS Encryption and Data Sovereignty - Hardware-Level Isolation from KMS to Nitro EnclavesWe explain hardware-level encryption and data sovereignty assurance through AWS KMS, CloudHSM, and Nitro Enclaves, and compare design differences with other cloud providers.How the Nitro System Transformed EC2 - From Xen to KVM, Eliminating Virtualization OverheadLearn about the technical background behind EC2's migration from the Xen hypervisor to the Nitro System, the three-layer architecture of Nitro Cards, Nitro Hypervisor, and Nitro Enclaves, and the design philosophy that achieved bare-metal-level performance.AWS Nitro System Hardware Innovation - How Custom Chips Redefined Virtualization and SecurityThis article explains the design philosophy behind the AWS-developed Nitro System, analyzing how the elimination of virtualization overhead, hardware-level security isolation, and bare-metal performance create competitive advantages unavailable from other providers.