Search code examples
amazon-web-servicesencryptionamazon-ec2trusted-computingenclave

Can we prevent EC2 instance from accessing the plain text data when using the AWS Nitro Enclave for encryption?


I am working on a project where the data that comes from the customer through a REST API should be encrypted before sending it to the database. To do that, we need to use AWS Nitro Enclave to do the encryption. So Nitro Enclave will receive the data from the parent EC2, talk to KMS to retrieve the encryption key, encrypt the data and send it back to EC2, then EC2 will send it to the database.

The problem is that the data now is exposed in plain text to any one who can access to the EC2 which defeats the whole purpose of securing the data. My question is: Is there anyway that the data will be intercepted by the Enclave itself, in other words, can the TLS terminate in the Enclave? I know that the Enclave does not have any networking capability but I am not sure now how this Enclave solves the issue of securing the personally identifiable information.

Any clarification on this point is much appreciated.

Many thanks! Zak


Solution

  • TLS terminate in the Enclave?

    Sure, you could use vsock-proxy (part of the Nitro Enclaves CLI installation) to pass the traffic (not terminated) directly to the Nitro Enclave, see https://nitro-enclaves.workshop.aws/en/my-first-enclave/secure-local-channel.html