AWS offers customers an even more secure way to protect sensitive data in the cloud with a new EC2 instance type that has no external network connectivity, persistent storage, or user access. Customers in industries like financial services, defense, media and entertainment, and life sciences often deal with extremely sensitive data in Amazon's cloud. However, in doing this, they must guard against internal and external threats while dealing with complex situations involving multiple partners, suppliers, customers, and employees. While customers currently use AWS VPC (Virtual Private Cloud) to create isolated environments with controlled and limited connectivity, the company is giving them another option for storing their sensitive data with the launch of AWS Nitro Enclaves.
AWS Nitro Enclaves
AWS Nitro Enclaves can be used to create an isolated environment on any EC2 instance powered by the Nitro system. While the company's Nitro system already isolates multiple EC2 instances running on the same hardware, Nitro Enclaves provides additional isolation through a separate kernel and by partitioning the processor and memory of a single "parent" EC2 instance. The EC2 master connects to the enclave via a virtual socket, and this socket is the only way for data to enter or leave a Nitro Enclave. AWS Chief Evangelist Jeff Barr explained how these new secure enclaves use the "Nitro" hypervisor that AWS introduced in a 2017 blog post, saying: “The Nitro Hypervisor creates and then signs a certification document during the creation of every Nitro Enclave. The document contains (among other things) a set of Platform Configuration Records (PCRs) that provide a cryptographically strong measure of the boot process. These values, when associated with a KMS key policy, are used to verify that the expected image, operating system, application, IAM role, and instance ID were used to create the enclave. Once KMS has completed this verification step, it will perform the desired API action (decrypt, generate a data key, or generate a random value) requested by the code running on the enclave. "Enclaves are now available on any EC2 instance running Nitro, and while users can create an enclave from an EC2 instance, AWS also plans to support multiple enclaves in the future. Via the registry