Require attestation to use an AWS KMS key
We would love to hear from you. Please provide
feedback on the AWS PRA by taking a short survey |
The following AWS Key Management Service (AWS KMS) key policy allows AWS Nitro Enclave instances to use a KMS key only if the enclave's attestation document in the request matches the measurements in the condition statement. This policy allows only trusted enclaves to decrypt the data. For more information about how this policy can help protect privacy and personal data in your organization, see AWS Nitro Enclaves in this guide. For a complete list of AWS KMS condition keys that can be used in key policies and in AWS Identity and Access Management (IAM) policies, see Condition keys for AWS KMS.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable enclave data processing", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/data-processing" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateRandom" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "kms:RecipientAttestation:ImageSha384": "EXAMPLE8abcdef7abcdef6abcdef5abcdef4abcdef3abcdef2abcdef1abcdef1abcdef0abcdef1abcdEXAMPLE", "kms:RecipientAttestation:PCR0": "EXAMPLEbc2ecbb68ed99a13d7122abfc0666b926a79d5379bc58b9445c84217f59cfdd36c08b2c79552928702EXAMPLE", "kms:RecipientAttestation:PCR1": "EXAMPLE050abf6b993c915505f3220e2d82b51aff830ad14cbecc2eec1bf0b4ae749d311c663f464cde9f718aEXAMPLE", "kms:RecipientAttestation:PCR2": "EXAMPLEc300289e872e6ac4d19b0b5ac4a9b020c98295643ff3978610750ce6a86f7edff24e3c0a4a445f2ff8EXAMPLE", "kms:RecipientAttestation:PCR3": "EXAMPLE11de9baee597508183477f097ae385d4a2c885aa655432365b53b812694e230bbe8e1bb1b8de748fe1EXAMPLE", "kms:RecipientAttestation:PCR4": "EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE", "kms:RecipientAttestation:PCR8": "EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE" } } } ] }
