Credential Guard - Amazon Elastic Compute Cloud
PrerequisitesLaunching a supported instanceTurning on Credential GuardVerifying Credential Guard is runningTurning off Credential Guard

Credential Guard

The AWS Nitro System supports Credential Guard for Amazon Elastic Compute Cloud (Amazon EC2) Windows instances. Credential Guard is a Windows virtualization-based security (VBS) feature that enables the creation of isolated environments to protect security assets, such as Windows user credentials and code integrity enforcement, beyond Windows kernel protections. When you run EC2 Windows instances, Credential Guard uses the AWS Nitro System to protect Windows login credentials from being extracted from the OS memory.

Prerequisites

Your Windows instance must meet the following prerequisites to utilize Credential Guard:

Amazon Machine Images (AMIs)

The AMI must be preconfigured to enable NitroTPM and UEFI Secure Boot. For more information on supported AMIs, see Prerequisites for launching a Windows instance with NitroTPM enabled.

Instance types

The following instance types and sizes support Credential Guard:

Type Sizes
C5 c5.large | c5.xlarge | c5.2xlarge | c5.4xlarge | c5.9xlarge | c5.12xlarge
C5d c5d.large | c5d.xlarge | c5d.2xlarge | c5d.4xlarge | c5d.9xlarge | c5d.12xlarge
C5n c5n.large | c5n.xlarge | c5n.2xlarge | c5n.4xlarge | c5n.9xlarge
C6i c6i.large | c6i.xlarge | c6i.2xlarge | c6i.4xlarge | c6i.8xlarge | c6i.12xlarge | c6i.16xlarge
C6id c6id.large | c6id.xlarge | c6id.2xlarge | c6id.4xlarge | c6id.8xlarge | c6id.12xlarge | c6id.16xlarge
M5 m5.large | m5.xlarge | m5.2xlarge | m5.4xlarge | m5.8xlarge
M5d m5d.large | m5d.xlarge | m5d.2xlarge | m5d.4xlarge | m5d.8xlarge
M5dn m5dn.large | m5dn.xlarge | m5dn.2xlarge | m5dn.4xlarge | m5dn.8xlarge
M5n m5n.large | m5n.xlarge | m5n.2xlarge | m5n.4xlarge | m5n.8xlarge
M5zn m5zn.large | m5zn.xlarge | m5zn.2xlarge | m5zn.3xlarge | m5zn.6xlarge
M6i m6i.large | m6i.xlarge | m6i.2xlarge | m6i.4xlarge | m6i.8xlarge
M6id m6id.large | m6id.xlarge | m6id.2xlarge | m6id.4xlarge | m6id.8xlarge
R5 r5.large | r5.xlarge | r5.2xlarge | r5.4xlarge
R5b r5b.large | r5b.xlarge | r5b.2xlarge | r5b.4xlarge
R5d r5d.large | r5d.xlarge | r5d.2xlarge | r5d.4xlarge
R5dn r5dn.large | r5dn.xlarge | r5dn.2xlarge | r5dn.4xlarge
R5n r5n.large | r5n.xlarge | r5n.2xlarge | r5n.4xlarge
R6i r6i.large | r6i.xlarge | r6i.2xlarge | r6i.4xlarge
R6id r6id.large | r6id.xlarge | r6id.2xlarge | r6id.4xlarge
Note

Though NitroTPM has some required instance types in common, the instance type must be one of the above to support Credential Guard.

Launching a supported instance

You can use the Amazon EC2 console or AWS Command Line Interface (AWS CLI) to launch an instance which can support Credential Guard. You will need a compatible AMI ID for launching your instance which is unique for each AWS Region.

Tip

You can use the following link to discover and launch instances with compatible Amazon provided AMIs in the Amazon EC2 console:

https://console.aws.amazon.com/ec2/v2/home?#Images:visibility=public-images;v=3;search=:TPM-Windows_Server;ownerAlias=amazon

Amazon EC2 console
To launch an instance using the Amazon EC2 console

Follow the steps to Launch an instance using the new launch instance wizard while specifying a supported instance type and preconfigured Windows AMI.

AWS CLI
To launch an instance using the AWS CLI

Use the run-instances command to launch an instance using a supported instance type and preconfigured Windows AMI.

aws ec2 run-instances \
--image-id ami-abcdef01234567890 \
--region us-east-1 \
--instance-type m5.2xlarge \
--subnet-id subnet-abcdef01234567890

Turning on Credential Guard

After you have launched a Windows instance with a supported instance type and compatible AMI, you can turn on Credential Guard.

Important

Administrator privileges are required to perform the following steps to turn on Credential Guard.

To turn on Credential Guard

  1. Connect to your instance as a user account with administrator privileges using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Open the Start menu and search for cmd to start a command prompt.

  3. Run the following command to open the Local Group Policy Editor: gpedit.msc

  4. In the Local Group Policy Editor, choose Computer Configuration, Administrative Templates, System, Device Guard.

  5. Select Turn On Virtualization Based Security, then select Edit policy setting.

  6. Choose Enabled within the Turn On Virtualization Based Security menu.

  7. For Select Platform Security Level, choose Secure Boot and DMA Protection.

  8. For Credential Guard Configuration, choose Enabled without lock.

    Note

    The remaining policy settings are not required to enable Credential Guard and can be left as Not Configured.

    The following image displays the VBS settings configured as described previously:

    Virtualization Based Security Group Policy Object settings with Turn On Virtualization Based Security enabled.

  9. Reboot the instance to apply the settings.

Verifying Credential Guard is running

You can use the Microsoft System Information (Msinfo32.exe) tool to confirm that Credential Guard is running.

Important

You must first reboot the instance to finish applying the policy settings required to enable Credential Guard.

To verify Credential Guard is running

  1. Connect to your instance using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Within the RDP session to your instance, open the Start menu and search for cmd to start a command prompt.

  3. Open System Information by running the following command: msinfo32.exe

  4. The Microsoft System Information tool lists the details for VBS configuration. Next to Virtualization-based security Services, confirm that Credential Guard appears as Running.

    The following image displays VBS is running as described previously:

    An image of the Microsoft System Information Tool with the Virtualization-based security line showing a status of Running, confirming Credential Guard is running.

Turning off Credential Guard

You can turn off Credential Guard if it has been enabled on your EC2 instance.

Important

Administrator privileges are required to perform the following steps to turn off Credential Guard.

To turn off Credential Guard

  1. Connect to your instance as a user account with administrator privileges using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Open the Start menu and search for cmd to start a command prompt.

  3. Run the following command to open the Local Group Policy Editor: gpedit.msc

  4. In the Local Group Policy Editor, choose Computer Configuration, Administrative Templates, System, Device Guard.

  5. Select Turn On Virtualization Based Security, then select Edit policy setting.

  6. Choose Disabled within the Turn On Virtualization Based Security menu.

  7. The following image displays the VBS settings configured as described previously:

    Virtualization Based Security Group Policy Object settings with Turn on Virtualization Based Security disabled.

  8. Reboot the instance to apply the settings.