AWS Nitro Cryptographic Attestation
Applications running in AWS Nitro Enclaves can request a Signed Attestation Document from the AWS Nitro Hypervisor, which includes a set of measurements that uniquely describe an enclave and the environment in which it is running.
An authorized user can attach a policy to a specific AWS KMS key and restrict the usage of that key to authorized AWS Nitro Enclaves. This mechanism guarantees that encryption/decryption operations are allowed only from AWS Nitro Enclaves and makes sensitive data inaccessible to any entity except for the approved applications running in AWS Nitro Enclaves.
Using the measurements provided in the Attestation Document (after verifying that it was signed by a valid AWS Nitro Enclave), KMS evaluates the policy attached to the key to authorize operations using the key. If the conditions specified in the policy do not match the measurements from the provided Attestation Document, KMS rejects the operation.
The following table describes the measurements (or PCRxx value) included in the Attestation Document:
PCR | Hash of | Description |
---|---|---|
PCR0 |
Enclave image file |
A contiguous measure of the contents of the image file, without the section data. |
PCR1 |
Linux kernel and bootstrap |
A contiguous measurement of the kernel and boot ramfs data. |
PCR2 |
Application |
A contiguous, in-order measurement of the user applications, without the boot ramfs . |
PCR3 |
IAM role assigned to the parent instance |
A contiguous measurement of the IAM role assigned to the parent instance. Ensures that the attestation process succeeds only when the parent instance has the correct IAM role. |
PCR4 |
Instance ID of the parent instance |
A contiguous measurement of the ID of the parent instance. Ensures that the process succeeds only when the parent instance has a specific instance ID. |
PCR8 |
Enclave image file signing certificate |
A measure of the signing certificate specified for the enclave image file. Ensures that the attestation process succeeds only when the enclave was booted from an enclave image file signed by a specific certificate. |
A policy using any combinations of the PCRxx values above can be created to exactly describe the enclaves that are allowed to perform operations on a specific AWS KMS key object.