Cryptographic attestation for AWS Nitro Enclaves (original) (raw)
AWS KMS supports cryptographic attestation for AWS Nitro Enclaves. Applications that support AWS Nitro Enclaves call the following AWS KMS cryptographic operations with a signed attestation document for the enclave. These AWS KMS APIs verify that the attestation document came from a Nitro enclave. Then, instead of returning plaintext data in the response, these APIs encrypt the plaintext with the public key from the attestation document and return ciphertext that can be decrypted only by the corresponding private key in the enclave.
The following table shows how the response to Nitro enclave requests differs from the standard response for each API operation.
| AWS KMS operation | Standard response | Response for AWS Nitro Enclaves |
|---|---|---|
| Decrypt | Returns plaintext data | Returns the plaintext data encrypted by the public key from the attestation document |
| DeriveSharedSecret | Returns raw shared secret | Returns the raw shared secret encrypted by the public key from the attestation document |
| GenerateDataKey | Returns a plaintext copy of the data key(Also returns a copy of the data key encrypted by a KMS key) | Returns a copy of the data key encrypted by the public key from the attestation document(Also returns a copy of the data key encrypted by a KMS key) |
| GenerateDataKeyPair | Returns a plaintext copy of the private key(Also returns the public key and a copy of the private key encrypted by a KMS key) | Returns a copy of the private key encrypted by the public key from the attestation document(Also returns the public key and a copy of the private key encrypted by a KMS key) |
| GenerateRandom | Returns a random byte string | Returns the random byte string encrypted by the public key from the attestation document |
AWS KMS supports policy condition keys that you can use to allow or deny enclave operations with an AWS KMS key based on the content of the attestation document. You can also monitor requests to AWS KMS for your Nitro enclave in your AWS CloudTrail logs.
Learn more
- Cryptographic attestation
- AWS KMS condition keys for AWS Nitro Enclaves
- How to call AWS KMS APIs for a Nitro enclave
- Monitoring requests for Nitro enclaves
Work with table encryption
How to call AWS KMS APIs for a Nitro enclave
Did this page help you? - Yes
Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
Did this page help you? - No
Thanks for letting us know this page needs work. We're sorry we let you down.
If you've got a moment, please tell us how we can make the documentation better.