Providing secrets to the AWS Nitro Enclave
You saw how easy and quick it is to start an AWS Nitro Enclave using the Anjuna Nitro Runtime in the previous section.
In all but the simplest of cases, applications running in AWS Nitro Enclaves will require access to sensitive data. For example, Web Servers will require a TLS certificate, a password to extract a certificate/key from a key store. Other applications will need credentials to connect to other services, like an external database.
Adding this type of sensitive information to the Docker container is not recommended since the container can be inspected, and this would expose the secrets.
You can securely provide secrets to applications running in AWS Nitro Enclaves with a process called Attestation.
Attestation is a feature that enables an AWS Nitro Enclave to prove its identity to an external service, which can then determine whether this AWS Nitro Enclave is authorized to perform certain operations.
One of the services that supports transparent integration with AWS Nitro Attestation is the AWS Key Management Service.
In the next sections, you will learn about:
-
Attestation for AWS Nitro Enclaves and the Anjuna Nitro Runtime
-
Setting up an AWS KMS key in AWS KMS
-
Attaching a default policy to the AWS KMS key
-
Encrypting a secret with the key and storing it in a public S3 bucket or in a local file
-
Building a Docker container that will download and decrypt the secret
-
Measuring the AWS Nitro Enclave for the Docker container
-
Updating the policy associated with the AWS KMS key to allow the AWS Nitro Enclave to decrypt data using that key
-
Starting the AWS Nitro Enclave to verify that it can decrypt the secret
Estimated time: 20 minutes