ajewellamz
commented
1 year ago Thank you for reaching out.
While supporting attestations in the AWS Encryption SDK is a good enhancement feature, it’s currently not on our roadmap.”
Open sudhirj opened 2 years ago
ajewellamz
commented
1 year ago Thank you for reaching out.
While supporting attestations in the AWS Encryption SDK is a good enhancement feature, it’s currently not on our roadmap.”
Problem:
We're running code inside Nitro Enclaves that needs to encrypt and decrypt very sensitive data, and would like to use the Encryption SDK. To make sure that KMS only services signed code running inside the Enclave, we use attestation rules as described in https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
From what we can see the AWS Encryption SDK does not support attestation yet, so KMS requests will fail when running inside the Enclave, even if the vsock-proxy is configured to forward KMS requests.
Solution:
Implement support for calling KMS with attestation, as seen in https://github.com/aws/aws-nitro-enclaves-sdk-c/tree/main/source
Or if this is already supported a note stating that, along with vsock-proxy requirement notes would be very helpful.
Out of scope:
GenerateDataKeyandDecryptseem to be the biggest candidates to add this for, might not need to bother with any other operations.