Closed frankwese closed 2 months ago
@frankwese A few things to have you check,
Example: aws ec2 describe-vpc-endpoints --query "VpcEndpoints[?ServiceName==com.amazonaws.[region].kms
]" --output table
Security Controls: Check the security groups associated with the VPC endpoint to ensure they permit traffic from the subnet where your application resides.
Policy Review: Review the endpoint policy to verify that it allows the necessary KMS actions and resources required by your application.
Example: aws ec2 describe-vpc-endpoints --vpc-endpoint-ids [endpoint-id]
Just to clarify:
The host instance currently runs in an isolated subnet.
With setting up a socat
pipe
on the host instance:
socat vsock-listen:8000,reuseaddr,fork tcp-connect:kms.eu-central-1.amazonaws.com:443 &
and in the enclave:
echo "127.0.0.1 local.kms.eu-central-1.vpce.amazonaws.com" >> /etc/hosts
socat tcp-listen:1443,reuseaddr,fork vsock-connect:2:8000 &
I am able to do:
aws kms decrypt --ciphertext-blob "${encrypted_pwd}" --endpoint-url "https://local.kms.eu-central-1.vpce.amazonaws.com:1443" --query Plaintext --output text | base64 -d
I want to use the kmstool_enclave_cli because it includes the attestation document into the request
@frankwese we actual can do this natively with our SDK, so if your interested in trying our platform with Nitro, it might be your easy button.
Thanks for the link @domeger. Actually it turned out that one has to provide the --region parameter with kmstool.
my parent host is in an isolated subnet, so I created a VPC-endpoint. From the parent host it is working, but when the enclave tries to decrypt using kmstool_enclave_cli decrypt ... it fails with the error message "Certificate is untrusted (Error encountered in /tmp/crt-builder/s2n-tls/tls/s2n_x509_validator.c:228 when using a vpc endpoint"