- Newest
- Most votes
- Most comments
here are some AWS docs that may be helpful:
Nitro Enclaves documentation: https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html
S3 encryption documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingEncryption.html
S3 server-side encryption with KMS documentation: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
Using AWS KMS with Nitro Enclaves: https://aws.amazon.com/blogs/security/how-to-use-aws-key-management-service-with-nitro-enclaves-for-secure-data-processing/
AWS SDKs for encryption: https://aws.amazon.com/encryption/sdk/
Example code for using Nitro Enclaves with S3: https://github.com/aws-samples/aws-nitro-enclaves-samples/tree/main/s3-end-to-end-encryption
Yes this is possible, every Nitro Enclave at build time generates measurements PCR0, PCR1, PCR2 and optionally PCR8 (but highly recommended). PCR0 is a cryptographic measure of the entire enclave image file. So, in your case you would do something like the following.
- Store AWS KMS key encrypted data in Amazon S3 bucket.
- Build an enclave with your application that processes this sensitive data generating the PCR's and enclave image file (EIF).
- Capture the build time PCR0.
- Add a KMS key policy conditional to the key from step-1 that only allows decrypt from an enclave with the specific PCR0.
- In the example, where your current enclave terminates and a future enclave is spawned from the same EIF, it would be able to still decrypt the prior written data to S3. Highly encourage you to read through the PCR's and tighten down the conditional on the KMS key policy further to PCR3, so that you are not tied to particular EC2 instance. (If the usecase permits).
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 24 days ago
- AWS OFFICIALUpdated 3 years ago