Amazon Web Services (AWS) today announced the general availability of AWS Nitro Enclaves, a specific subset of elastic compute cloud (EC2) instances that focus on processing sensitive data. With this release, AWS is targeting customers in industries like defense, entertainment, media, financial services, and sciences that use the computing power of AWS Cloud instances to process sensitive data.
Unlike traditional EC2 instances, Nitro Enclaves do not host persistent storage, nor do they support external networking or provide administrator or operator access. This enables Nitro Enclaves in reducing the attack surface for applications with an isolated environment that is tailored to data processing use cases.
This isolation means that applications running in an Enclave remain inaccessible to other users and systems, even to users within the customer’s organization. With this isolation, the AWS Nitro Enclave owner can start and stop, or assign resources to an Enclave, but even the owner cannot see what is being processed inside of AWS Nitro Enclaves.
In addition to this, it borrows the Nitro Hypervisor technology from traditional EC2 instances to provide CPU and memory isolation for the Enclaves. AWS also launched the AWS Certificate Manager (ACM) for Nitro Enclaves that protects and manages SSL and TLS certificates for their web servers hosted on EC2 instances.
Nitro Enclaves will support most of Intel and AMD-based EC2 instance types that are built on the AWS Nitro System. Support for AWS Graviton2-based instances is planned for some time in the first half of the next year. Nitro Enclaves will be available in most major AWS regions. Specific details on that can be found here. If you are interested in getting started with them, you may check out this web page.