This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.
Host and Instance Features
AWS is constantly evolving its security capabilities at both the
host and instance level of operations. These features provide
isolation and separation of operations for host hardware and the
instances running on those hosts. With the introduction of
AWS Nitro
System, AWS provides industry defining security mechanisms
for firmware and hypervisor operations. AWS Nitro System is
comprised of a family of Peripheral component Interconnect Express
(PCIe) cards with custom integrated circuits (ASICs) that control
distinct functions such as access to storage, virtual networking,
and a Nitro Security Chip that continuously monitors and protects
hardware resources and independently verifies firmware each time a
system boots. These, in conjunction with the Nitro hypervisor, a
lightweight kernel virtual machine (KVM)-based hypervisor, provide
the backbone for many AWS instance families. This allows AWS to
constrain operator-host interactions to a small set of functions
that can only be called through an API. There is no interactive
shell access. Virtual instances operating on these hosts also have
numerous additional security mechanisms enforced, such as memory
and CPU isolation.
In addition to providing highly secure, logically isolated,
multi-tenant compute services, AWS also provides means of
deploying compute to dedicated hardware using
Dedicated
Instances,
Dedicated
Hosts, and
Bare
Metal. These deployment options can be used to launch
Amazon EC2 instances onto physical servers that are dedicated for
customer use. Dedicated Instances are hypervised Amazon EC2
instances that run in a VPC on hardware that’s dedicated to a
single customer. Dedicated Instances are physically isolated at
the host hardware level from instances that belong to other AWS
accounts. Dedicated Instances may share hardware with other
instances from the same AWS account that are not Dedicated
Instances. A Dedicated Host is also a physical server that’s
dedicated for customer use. With a Dedicated Host, customers have
visibility and control over how hypervised instances are placed on
the server. Bare Metal instances are non-hypervised host hardware
devices. Using the AWS Nitro technology for network and storage
offload, as well as the Nitro Security Chip to address the risks
associated with serial single-tenancy on Bare Metal, customers
have direct access to Amazon EC2 hardware. These Bare Metal
instances are full-fledged members of the Amazon EC2 service and
have access to services such as Amazon VPC and
Amazon Elastic Block Store (Amazon EBS).
There are little to no performance, security, or physical
differences between Dedicated Instances and instances deployed on
Dedicated Hosts. However, Dedicated Hosts give customers
additional control over how instances are placed on a physical
server and how that server is utilized. When customers use
Dedicated Hosts, they have control over instance placement on the
host using the Host Affinity and Instance Auto-placement settings.
If customers want to use AWS, and have an existing software
license that requires that the software be run on a particular
piece of hardware for some minimum amount of time, Dedicated Hosts
allow visibility into the host’s hardware, enabling customers to
meet licensing requirements.