{"id":103941,"date":"2020-11-03T16:00:18","date_gmt":"2020-11-03T13:00:18","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier-cloudsavvy-it\/"},"modified":"2020-11-03T16:00:18","modified_gmt":"2020-11-03T13:00:18","slug":"aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier-cloudsavvy-it\/","title":{"rendered":"#AWS Releases \u201cNitro Enclaves,\u201d Making Highly Secure Data Processing Easier \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e6f23b5908\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e6f23b5908\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier-cloudsavvy-it\/#Data_Processing_in_an_Isolated_Environment\" >Data Processing in an Isolated Environment<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier-cloudsavvy-it\/#How_To_Use_Nitro_Enclaves\" >How To Use Nitro Enclaves<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#AWS Releases \u201cNitro Enclaves,\u201d Making Highly Secure Data Processing Easier \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5269\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/0eb3564906a864c93706b30eaca199af\/p\/uploads\/2020\/06\/e601b806.png\" alt=\"AWS Logo\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Nitro Enclaves are a new feature of AWS\u2019s Nitro Hypervisor that manages EC2 instances. It allows you to provision a separate, isolated environment used for processing highly secure, often encrypted data.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Data_Processing_in_an_Isolated_Environment\"><\/span>Data Processing in an Isolated Environment<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Nitro Enclaves is a new capability of EC2. Each Enclave needs an EC2 instance as its parent; you can think of it like an attachment, like an EBS drive, or accelerator card.<\/p>\n<p>These Nitro Enclaves are actually\u00a0<em>incredibly<\/em> secure. They\u2019re entirely isolated\u2014nobody, not even you, the owner, or the administrator can access them or any processes running on them directly over SSH. They have no external networking; only the parent can talk to the enclave, and only over local network sockets. This means that the parent server can be configured to handle encrypted data without it ever entering the scope of that server.<\/p>\n<p>It works like this: a request comes in to the parent instance that needs to handle some sensitive data. Rather than processing it locally, it\u2019s sent to the Enclave. While technically separate, you can think of it like being a special protected part of the parent server. The enclave can fetch a decryption key from AWS\u2019s Key Management Service, decrypt the data, and send a response after processing.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7753\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/32309da6ac700f4e66e92147e88ee9af\/p\/uploads\/2020\/11\/ddff3a17.png\" alt=\"\" width=\"700\" height=\"432\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>An enclave is created by \u201cpartitioning the CPU and memory of an EC2 instance.\u201d If you have a 16 core 64 GB machine, you can dedicate 4 cores and 32 GB to the enclave, for example.<\/p>\n<p>Despite this, the Nitro Hypervisor puts the same restrictions on CPU and memory access in place between a parent instance and an enclave as it does between your instance and someone else\u2019s on the same host. The only thing connecting the two is a local vsock connection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7755\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/174ee039ddf3f6b191e55f93c0325fbb\/p\/uploads\/2020\/11\/5ea6e8af.png\" alt=\"\" width=\"700\" height=\"371\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fdocs.aws.amazon.com%2Fenclaves%2Flatest%2Fuser%2Fset-up-attestation.html&amp;key=204a528a336ede4177fff0d84a044482\">integration with AWS\u2019s Key Management Service<\/a>\u00a0is very useful here. KMS can be used to track, rotate, and manage access to sensitive decryption keys. This integration uses \u201ccryptographic attestation,\u201d which means that the Nitro Hypervisor produces a signed attestation document for the enclave to prove its identity to KMS. This includes a hash of the image file, an image file signing certificate, a hash of the Linux kernel, IAM roles on the parent, and the ID of the parent. All must match the configuration, or the request to KMS will not go through.\u00a0 If you\u2019re interested, there\u2019s an <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fdocs.aws.amazon.com%2Fenclaves%2Flatest%2Fuser%2Fhello-kms.html&amp;key=204a528a336ede4177fff0d84a044482\">example tool that Nitro ships with<\/a>\u00a0that demonstrates the cryptographic attestation process.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How_To_Use_Nitro_Enclaves\"><\/span>How To Use Nitro Enclaves<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>To use them, you\u2019ll need to launch an instance with the setting enabled:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7754\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/cd05bc78ac5796756a5385f03eaa1e48\/p\/uploads\/2020\/11\/1bfe236d.png\" alt=\"\" width=\"700\" height=\"142\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>You\u2019ll then need to build the image from a Dockerfile, and use the CLI to create the enclave. You can read AWS\u2019s <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/blogs\/aws\/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data\/?tag=reviewgeek-20\">getting started guide<\/a> from their blog or their <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.youtube.com\/watch?v=t-XmYt2z5S8&amp;feature=youtu.be\">YouTube tutorial<\/a> to learn more.<\/p>\n<p>After that, you\u2019ll probably need to <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fdocs.aws.amazon.com%2Fenclaves%2Flatest%2Fuser%2Fhello-kms.html&amp;key=204a528a336ede4177fff0d84a044482\">set up the KMS attestation<\/a> to use it with KMS securely.\n<\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/7686\/aws-releases-nitro-enclaves-making-highly-secure-data-processing-easier\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#AWS Releases \u201cNitro Enclaves,\u201d Making Highly Secure Data Processing Easier \u2013 CloudSavvy IT&#8221; Nitro Enclaves are a new feature of AWS\u2019s Nitro Hypervisor that manages EC2 instances. It allows you to provision a separate, isolated environment used for processing highly secure, often encrypted data. Data Processing in an Isolated Environment Nitro Enclaves is a new&#8230;<\/p>\n","protected":false},"author":1,"featured_media":103942,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/06\/e601b806.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-103941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=103941"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103941\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/103942"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=103941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=103941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=103941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}