Member-only story

How to Use AWS Nitro Enclaves Attestation Document

Richard Fan
Level Up Coding
Published in
8 min readNov 22, 2020

In my last blog post Running Python App on AWS Nitro Enclaves, I briefly introduced what AWS Nitro Enclaves is and also demonstrate how network connection works on Nitro Enclaves.

This week, I am going to talk about how we can make use of attestation documents generated by Nitro Secure Module (NSM).

Common Scenario

AWS Nitro Enclaves are isolated compute environments that can securely process highly sensitive data. When communicating with other components outside the enclave (e.g. Central secret store), we also want this process as secure as possible. The 2 main concerns are:

  1. How does the outside component know if it is communicating with the correct enclave image but not an attacker impersonating the enclave?
  2. How can we secure the data transmitted between the enclave and the outside component?

To tackle the issue, AWS Nitro Enclaves provides an attestation mechanism, its detail is provided in AWS documentation. But to understand it more easily, I created a Python demo for you to have a hands-on experience.

The Components

  1. Client
    This is to simulate generic components…

--

--

Responses (1)

What are your thoughts?