In my last blog post Running Python App on AWS Nitro Enclaves, I briefly introduced what AWS Nitro Enclaves is and also demonstrate how network connection works on Nitro Enclaves.

This week, I am going to talk about how we can make use of attestation documents generated by Nitro Secure Module (NSM).

Common Scenario

AWS Nitro Enclaves are isolated compute environments that can securely process highly sensitive data. When communicating with other components outside the enclave (e.g. Central secret store), we also want this process as secure as possible. The 2 main concerns are:

  1. How does the outside component know if it…

What is AWS Nitro Enclaves

AWS Nitro Enclaves is an isolated compute environment running beside the EC2 instance. It uses the CPU and memory resources from your EC2 instance, but it is isolated from the instance on the hypervisor level so that your instance cannot access the enclave even on the OS-level. The only way you can communicate with the enclave is through the vsock channel.

A high-level overview of AWS Nitro Enclaves (From AWS documentation)

What’s that mean?

To better understand the concept, we can treat the enclave as a docker container. We can bake our custom applications into an image and run it in the enclave just as we run docker image in a container.


My initial goal is to try out Amazon SageMaker Debugger and see if I can get some useful information apart from what DeepRacer stack provides.

However, after many trial and errors, I found that it’s not as easy as AWS’s sample codes show. Though, I think my journey would still be a good example to show how to make SageMaker Debugger works in customised environments.

What is Amazon SageMaker Debugger

Amazon SageMaker Debugger is a tool for debugging ML training. It helps us do many heavy lifting, like collecting data, monitoring training process, detecting abnormal behaviour, etc.

How does Amazon SageMaker Debugger work?

Amazon SageMaker Debugger consists of 2 parts: Collections/Hooks…

This post is not about setting up CloudWatch alarms. You can find it on Google easily. Instead, I am going to talk about how to set up alarms that can make you sleep well at night.

It is my journey of setting up alarms for my company’s website. It may not be a brilliant solution, but I think it is simple enough to give you some insight without considering complex architectures.


My company had a web server that always goes down when there are traffic spikes. The website is not so important that it deserves a dedicated support team nor…

API Gateway is the best companion of Lambda, and many people try their first Lambda function with API Gateway. But what many people don’t know is that API Gateway is not just a trigger, it can do more than you may think.

This article will walk you through on how to use API Gateway to:

  1. Validate user input
  2. Transform data format
  3. Integrate with other AWS services

1. Input validation

One of the most crucial security principles is never trusting user input. So you probably have some code validating user input at the beginning of the Lambda function.

Instead of invoking the Lambda function…

Photo by Kaleidico on Unsplash

Working in a software vendor company, I have encountered many clients reaching me with their crazy ideas. And thanks to the tech startup boom in the past several years, many of my clients have come up with ambitious goals, inspired by those successful tech startups.

However, this is also a problem. Many of the ideas from my clients are based on some existing tech “startups”. In the past few years, I have been partnering with projects like laundry version of Uber, travel version of Instagram, replicate of Casetify, etc. The companies they are referencing are already big ones. They have…

AWS DeepRacer is a 1/18th scale autonomous race car. It uses a camera (and LIDAR sensor on the newer version) as input to determine how fast the car should run and how steep should the turn be. We can use reinforcement learning to train a model in a simulated virtual world and load the model into the real car to test it.

Reinforcement learning

The interaction in a reinforcement learning process

Reinforcement learning is one of the machine learning paradigms. The idea is that an agent observes the environment and take action. We, as the developer can write a function to give the agent rewards on that action. …

Cybersecurity is a hot topic now. If you search on Google about how to protect your website, you may find many buzzwords, IDS, IPS, WAF, DDoS, Proxy, you name it. You may think protecting your website is difficult and expensive and it is worthless to invest in security if your website is not critical.

Cyberattack is more common than you think

A human hacker may not bother sneaking into your website and change the headline of your homepage. But in most cases, your website would be hacked by a bot which constantly guessing your login password. They can even inject code redirecting your customers to some malicious…

What we have done so far

In part 1, we have set up our repository to use Mozilla SOPS to encrypt secret files before commit. But the encryption/decryption process still relies on human interaction, which is not a good practice in DevOps. In part 2, we are going to automate this process using githooks.

What is githooks

githooks is a set of shell files that will be run at different stages of git actions, allowing us to customise our development workflow. In this session, we will use 3 hooks: pre-commit, post-merge and post-rewrite. You can find my code in my GitHub repository.

Problems we have to solve

Problem 1: Cannot track if files changed

SOPS uses envelope encryption, our data is…

Serverless is an event-driven world

Unlike years ago, when we all host long-running daemon as servers, we are entering a serverless era, which everything is triggered by events.

It is obvious if you think about normal website traffics. User hit the URL of your website/API endpoint, API Gateway triggers Lambda function, Lambda then triggers DynamoDB to update/retrieve data, everything starts from the user.

User hit the API, API Gateway triggers Lambda function, Lambda then triggers DynamoDB to update or retrieve data
User hit the API, API Gateway triggers Lambda function, Lambda then triggers DynamoDB to update or retrieve data
A common serverless architecture. Everything starts from user actions

However, if your system is big enough, you will always face the case which requires scheduled actions. How can we adopt serverless architecture for those cases?

My past project: EV charger control system

One of my past projects is to build a cloud-based system to remotely control EV (Electronic…

Richard Fan

AWS DeepRacer League Finalist | AWS Community Builder | Cloud Engineer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store