How to Use AWS Nitro Enclaves Attestation Document
In my last blog post Running Python App on AWS Nitro Enclaves, I briefly introduced what AWS Nitro Enclaves is and also demonstrate how network connection works on Nitro Enclaves.
This week, I am going to talk about how we can make use of attestation documents generated by Nitro Secure Module (NSM).
Common Scenario
AWS Nitro Enclaves are isolated compute environments that can securely process highly sensitive data. When communicating with other components outside the enclave (e.g. Central secret store), we also want this process as secure as possible. The 2 main concerns are:
- How does the outside component know if it is communicating with the correct enclave image but not an attacker impersonating the enclave?
- How can we secure the data transmitted between the enclave and the outside component?
To tackle the issue, AWS Nitro Enclaves provides an attestation mechanism, its detail is provided in AWS documentation. But to understand it more easily, I created a Python demo for you to have a hands-on experience.
The Components
- Client
This is to simulate generic components that rely on the output from the secure process. For example, a website, which supports SSO, needs to know if the user has been authenticated or not. - Server
This is to simulate the process that handles sensitive data. In the previous example, it would be the SSO authenticator, which has access to the OAuth App secret to do the authentication. - SecretStore
This is to simulate the central database storing the secrets. In the previous example, it would be the database that stores the App secret of different SSO providers.
However, for simplicity, the demo would not perform any process on the secret as it is not our focus. It would just pass the secret plaintext to the client.
The Process
