Credential Guard - Amazon Elastic Compute Cloud

Credential Guard

The AWS Nitro System supports Credential Guard for Amazon Elastic Compute Cloud (Amazon EC2) Windows instances. Credential Guard is a Windows virtualization-based security (VBS) feature that enables the creation of isolated environments to protect security assets, such as Windows user credentials and code integrity enforcement, beyond Windows kernel protections. When you run EC2 Windows instances, Credential Guard uses the AWS Nitro System to protect Windows login credentials from being extracted from the OS memory.

Prerequisites

Your Windows instance must meet the following prerequisites to utilize Credential Guard:

Amazon Machine Images (AMIs)

The AMI must be preconfigured to enable NitroTPM and UEFI Secure Boot. For more information on supported AMIs, see Prerequisites for launching a Windows instance with NitroTPM enabled.

Memory integrity

Memory integrity, also known as hypervisor-protected code integrity (HVCI) or hypervisor enforced code integrity, isn't supported. Before you turn on Credential Guard, you must ensure this feature is disabled. For more information, see Disabling memory integrity.

Instance types

The following instance types support Credential Guard across all sizes: C5, C5d, C5n, C6i, C6id, C6in, M5, M5d, M5dn, M5n, M5zn, M6i, M6id, M6idn, M6in, R5, R5b, R5d, R5dn, R5n, R6i, R6id, R6idn, R6in.

Note

Though NitroTPM has some required instance types in common, the instance type must be one of the above to support Credential Guard.

Launching a supported instance

You can use the Amazon EC2 console or AWS Command Line Interface (AWS CLI) to launch an instance which can support Credential Guard. You will need a compatible AMI ID for launching your instance which is unique for each AWS Region.

Tip

You can use the following link to discover and launch instances with compatible Amazon provided AMIs in the Amazon EC2 console:

https://console.aws.amazon.com/ec2/v2/home?#Images:visibility=public-images;v=3;search=:TPM-Windows_Server;ownerAlias=amazon

Amazon EC2 console
To launch an instance using the Amazon EC2 console

Follow the steps to Launch an instance using the new launch instance wizard while specifying a supported instance type and preconfigured Windows AMI.

AWS CLI
To launch an instance using the AWS CLI

Use the run-instances command to launch an instance using a supported instance type and preconfigured Windows AMI.

aws ec2 run-instances \ --image-id resolve:ssm:/aws/service/ami-windows-latest/TPM-Windows_Server-2022-English-Full-Base \ --instance-type c6i.large \ --region us-east-1 \ --subnet-id subnet-id --key-name key-name
PowerShell
To launch an instance using the AWS Tools for PowerShell

Use the New-EC2Instance command to launch an instance using a supported instance type and preconfigured Windows AMI.

New-EC2Instance ` -ImageId resolve:ssm:/aws/service/ami-windows-latest/TPM-Windows_Server-2022-English-Full-Base ` -InstanceType c6i.large ` -Region us-east-1 ` -SubnetId subnet-id ` -KeyName key-name

Disabling memory integrity

You can use the Local Group Policy Editor to disable memory integrity in supported scenarios. The following guidance can be applied for each configuration setting under Virtualization Based Protection of Code Integrity:

  • Enabled without lock – Modify the setting to Disabled to disable memory integrity.

  • Enabled with UEFI lock – Memory integrity has been enabled with UEFI lock. Memory integrity can't be disabled once it has been enabled with UEFI lock. We recommend creating a new instance with memory integrity disabled and terminating the unsupported instance if it's not in use.

To disable memory integrity with the Local Group Policy Editor
  1. Connect to your instance as a user account with administrator privileges using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Open the Start menu and search for cmd to start a command prompt.

  3. Run the following command to open the Local Group Policy Editor: gpedit.msc

  4. In the Local Group Policy Editor, choose Computer Configuration, Administrative Templates, System, Device Guard.

  5. Select Turn On Virtualization Based Security, then select Edit policy setting.

  6. Open the settings drop-down for Virtualization Based Protection of Code Integrity, choose Disabled, then choose Apply.

  7. Reboot the instance to apply the changes.

Turning on Credential Guard

After you have launched a Windows instance with a supported instance type and compatible AMI, and confirmed that memory integrity is disabled, you can turn on Credential Guard.

Important

Administrator privileges are required to perform the following steps to turn on Credential Guard.

To turn on Credential Guard
  1. Connect to your instance as a user account with administrator privileges using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Open the Start menu and search for cmd to start a command prompt.

  3. Run the following command to open the Local Group Policy Editor: gpedit.msc

  4. In the Local Group Policy Editor, choose Computer Configuration, Administrative Templates, System, Device Guard.

  5. Select Turn On Virtualization Based Security, then select Edit policy setting.

  6. Choose Enabled within the Turn On Virtualization Based Security menu.

  7. For Select Platform Security Level, choose Secure Boot and DMA Protection.

  8. For Credential Guard Configuration, choose Enabled with UEFI lock.

    Note

    The remaining policy settings are not required to enable Credential Guard and can be left as Not Configured.

    The following image displays the VBS settings configured as described previously:

    
              Virtualization Based Security Group Policy Object settings with Turn On
                Virtualization Based Security enabled.
  9. Reboot the instance to apply the settings.

Verifying Credential Guard is running

You can use the Microsoft System Information (Msinfo32.exe) tool to confirm that Credential Guard is running.

Important

You must first reboot the instance to finish applying the policy settings required to enable Credential Guard.

To verify Credential Guard is running
  1. Connect to your instance using the Remote Desktop Protocol (RDP). For more information, see Connect to your Windows instance using RDP.

  2. Within the RDP session to your instance, open the Start menu and search for cmd to start a command prompt.

  3. Open System Information by running the following command: msinfo32.exe

  4. The Microsoft System Information tool lists the details for VBS configuration. Next to Virtualization-based security Services, confirm that Credential Guard appears as Running.

    The following image displays VBS is running as described previously:

    
              An image of the Microsoft System Information Tool with the Virtualization-based
                security line showing a status of Running, confirming Credential Guard is running.