Host and Instance Features - Logical Separation on AWS

Host and Instance Features

AWS is constantly evolving its security capabilities at both the host and instance level of operations. These features provide isolation and separation of operations for host hardware and the instances running on those hosts. With the introduction of AWS Nitro System, AWS provides industry defining security mechanisms for firmware and hypervisor operations. AWS Nitro System is comprised of a family of Peripheral component Interconnect Express (PCIe) cards with custom integrated circuits (ASICs) that control distinct functions such as access to storage, virtual networking, and a Nitro Security Chip that continuously monitors and protects hardware resources and independently verifies firmware each time a system boots. These, in conjunction with the Nitro hypervisor, a lightweight kernel virtual machine (KVM)-based hypervisor, provide the backbone for many AWS instance families. This allows AWS to constrain operator-host interactions to a small set of functions that can only be called through an API. There is no interactive shell access. Virtual instances operating on these hosts also have numerous additional security mechanisms enforced, such as memory and CPU isolation.

In addition to providing highly secure, logically isolated, multi-tenant compute services, AWS also provides means of deploying compute to dedicated hardware using Dedicated Instances, Dedicated Hosts, and Bare Metal. These deployment options can be used to launch Amazon EC2 instances onto physical servers that are dedicated for customer use. Dedicated Instances are hypervised Amazon EC2 instances that run in a VPC on hardware that’s dedicated to a single customer. Dedicated Instances are physically isolated at the host hardware level from instances that belong to other AWS accounts. Dedicated Instances may share hardware with other instances from the same AWS account that are not Dedicated Instances. A Dedicated Host is also a physical server that’s dedicated for customer use. With a Dedicated Host, customers have visibility and control over how hypervised instances are placed on the server. Bare Metal instances are non-hypervised host hardware devices. Using the AWS Nitro technology for network and storage offload, as well as the Nitro Security Chip to address the risks associated with serial single-tenancy on Bare Metal, customers have direct access to Amazon EC2 hardware. These Bare Metal instances are full-fledged members of the Amazon EC2 service and have access to services such as Amazon VPC and Amazon Elastic Block Store (Amazon EBS).

There are little to no performance, security, or physical differences between Dedicated Instances and instances deployed on Dedicated Hosts. However, Dedicated Hosts give customers additional control over how instances are placed on a physical server and how that server is utilized. When customers use Dedicated Hosts, they have control over instance placement on the host using the Host Affinity and Instance Auto-placement settings. If customers want to use AWS, and have an existing software license that requires that the software be run on a particular piece of hardware for some minimum amount of time, Dedicated Hosts allow visibility into the host’s hardware, enabling customers to meet licensing requirements.