AWS Nitro Enclaves – Isolated EC2 Environments to Process Confidential Data

AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances.

The Nitro system is a rich collection of building blocks that can be assembled in many different ways, giving us the flexibility to design and rapidly deliver EC2 instance types with an ever-broadening selection of compute, storage, memory, and networking options.

To date, we have used these building blocks to deliver on that promise, and have launched (to name a few) the M5C5R5T3I3A1P3dnz1d, and High Memory instances. Our fast-growing collection of instances are designed to meet an equally fast-growing set of customer needs and requirements.

A New Isolation Challenge

AWS customers in industries as diverse as financial services, defense, media & entertainment, and life sciences routinely process highly sensitive data on the AWS Cloud. When they do this, they need to protect against internal and external threats, and they need to deal with complex situations that involve multiple, mutually untrusted partners, vendors, customers, and employees. Today, they use VPCs to create highly isolated environments with controlled, limited connectivity, accessible only to restricted set of users.

Nitro Enclaves

Today we are addressing this important need with the launch of AWS Nitro Enclaves. You can use this to carve out an isolated environment on any EC2 instance that is powered by the Nitro System. The Nitro System already isolates multiple EC2 instances that are running on the same hardware. Nitro Enclaves provides additional isolation by partitioning the CPU and memory of a single “parent” EC2 instance, and protects highly sensitive data against other users or applications that are running on the same instance. The environment is provably secure, and is not accessible to other applications, users, or processes running on the parent EC2 instance. It is very flexible, and is designed to meet the needs of your most demanding production workloads, and gives you full control over the amount of memory and processing power that is allocated to the isolated environment.

We are launching with support for the creation of a single enclave per EC2 instance, and will add support for multiple enclaves in the future. You have the ability to use all but one of the instance’s cores (2 vCPUs on instances that use hyperthreaded processors) and just about all of its memory for your enclave:

