Concepts

This section explains a few high-level concepts that are important to understand when working with AWS Nitro Enclaves.

Attestation and Key-Access Policies

Attestation enables AWS Nitro Enclaves to authenticate themselves to client applications connecting to them, or to other services, including other enclaves. When connecting to services that support AWS Nitro attestation, an enclave can present a signed attestation document that includes information about the software that is running inside the enclave. This information comes in the form of measurements, or hashes computed by the AWS Nitro root-of-trust. This is similar in essence to how Trusted Platform Modules (TPMs) provide a measured boot sequence.

A client or an external services communicating with the enclave can then:

  • Inspect the attestation document

  • Verify that it was signed by a genuine AWS Nitro Enclave

  • Compare the measurements in the attestation document against known hashes of the software stack that the client expects to run in the enclave

The AWS Key Management Service (KMS) is one of the services that is AWS Nitro-aware. It allows an administrator to generate AWS KMS key policies that grant permissions to specific enclaves to decrypt data encrypted with that AWS KMS key. Such policies authorize enclaves based on their attested measurements. The KMS automatically compares the measurements from an attestation document against the hashes specified in the policy, and fulfills the request to decrypt data if there is a valid match.

When set up correctly, using AWS Nitro Enclaves with KMS guarantees that encrypted data can only be decrypted by an approved enclave. Applications that are not running in an AWS Nitro Enclave would not be able to provide an attestation document that would be validated, and KMS would reject any requests to decrypt data using the AWS KMS key. AWS Nitro Enclaves that are different from those that are approved would present an attestation document with different measurements. As such, KMS will not allow them to decrypt data with that AWS KMS key.

Enclave Measurement

The enclave’s measurements are a set of hashes that uniquely identify the enclave’s content, the parent instance’s identifier, and optionally the certificate used to sign the enclave.

See this page for more information:

https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html#where

When building an AWS Nitro Enclave Image File (EIF), the building tool outputs the measurements PCR0, PCR1, PCR2, and optionally PCR8 (if a certificate is used to sign the enclave). You can print the measurements by running the anjuna-nitro-cli describe-eif command.

The PCR3 and PCR4 measurements are automatically retrieved from the parent instance when the AWS Nitro Enclave is created.