The Nitro System journey - The Security Design of the AWS Nitro System

The Nitro System journey

The Nitro System is the product of a multi-year journey of re-imagining virtualization technology for AWS Cloud infrastructure. Over the course of this journey, every component of virtualization technology was re-implemented and replaced. While customers saw improved cost, performance, and security from EC2 instances released earlier in this process, instances based on the resulting complete Nitro System, in which every component has been replaced, are meaningfully different from those prior instance types. The Nitro System provides enhanced security, confidentiality, and performance to customers of Amazon EC2, and provides a foundation that enables the delivery of new innovative technologies at a rapid pace.

The introduction of the Nitro System consisted of an incremental decomposition of the software components running in Dom0 on a general-purpose data center CPU into independent purpose-built service processor units. What started as a tightly coupled monolithic virtualization system was, step by step, transformed into a purpose-built microservices architecture. Starting with the C5 instance type introduced in 2017, the Nitro System has entirely eliminated the need for Dom0 on an EC2 instance. Instead, a custom-developed, minimized hypervisor based on KVM provides a lightweight VMM, while offloading other functions such as those previously performed by the device-models in Dom0 into a set of discrete Nitro Cards.

A diagram depicting Nitro System virtualization architecture.

Nitro System virtualization architecture