Providing Secrets to the AWS Nitro Enclave

You saw how easy and quick it is to start an AWS Nitro Enclave using the Anjuna Nitro Runtime in the previous section.

In all but the simplest cases, applications running in AWS Nitro Enclaves will require access to sensitive data. For example, Web Servers will require a TLS certificate, a password to extract a certificate/key from a key store. Other applications will need credentials to connect to other services, like an external database.

Adding such sensitive information in the Docker container is not recommended since the container can be inspected, which would expose the secrets.

You can securely provide secrets to applications running in AWS Nitro Enclaves with a process called Attestation.

Attestation is a feature that enables an AWS Nitro Enclave to prove its identity to an external service, which can then determine whether this AWS Nitro Enclave is authorized to perform certain operations.

One of the services that support transparent integration with AWS Nitro Attestation is the AWS Key Management Service (https://aws.amazon.com/kms/).

In the next sections, you will learn about:

  • AWS Nitro Attestation and Enclave measurements

  • Setting up an AWS KMS key in AWS KMS

  • Attaching a default policy to the AWS KMS key

  • Encrypting a secret with the key and storing it in a public S3 bucket

  • Building a Docker container that will download and decrypt the secret

  • Measuring the AWS Nitro Enclave for the Docker container

  • Updating the policy associated with the AWS KMS key to allow the AWS Nitro Enclave to decrypt data using that key

  • Starting the AWS Nitro Enclave to verify that it can decrypt the secret