Cryptographic attestation for AWS Nitro Enclaves
AWS KMS supports cryptographic attestation for AWS Nitro Enclaves. Applications that support AWS Nitro Enclaves call the following AWS KMS cryptographic operations with a signed attestation document for the enclave. These AWS KMS APIs verify that the attestation document came from a Nitro enclave. Then, instead of returning plaintext data in the response, these APIs encrypt the plaintext with the public key from the attestation document and return ciphertext that can be decrypted only by the corresponding private key in the enclave.
The following table shows how the response to Nitro enclave requests differs from the standard response for each API operation.
| AWS KMS operation | Standard response | Response for AWS Nitro Enclaves |
|---|---|---|
Decrypt |
Returns plaintext data | Returns the plaintext data encrypted by the public key from the attestation document |
DeriveSharedSecret |
Returns raw shared secret | Returns the raw shared secret encrypted by the public key from the attestation document |
GenerateDataKey |
Returns a plaintext copy of the data key (Also returns a copy of the data key encrypted by a KMS key) |
Returns a copy of the data key encrypted by the public key from the
attestation document (Also returns a copy of the data key encrypted by a KMS key) |
GenerateDataKeyPair |
Returns a plaintext copy of the private key (Also returns the public key and a copy of the private key encrypted by a KMS key) |
Returns a copy of the private key encrypted by the public key from the
attestation document (Also returns the public key and a copy of the private key encrypted by a KMS key) |
GenerateRandom |
Returns a random byte string | Returns the random byte string encrypted by the public key from the attestation document |
AWS KMS supports policy condition keys that you can use to allow or deny enclave operations with an AWS KMS key based on the content of the attestation document. You can also monitor requests to AWS KMS for your Nitro enclave in your AWS CloudTrail logs.
Learn more
