aws / aws-nitro-enclaves-sdk-c

This repo provides a C API for AWS Nitro Enclaves, including a KMS SDK that integrates it with attestation.
Apache License 2.0
99 stars 75 forks source link

Can I forbid the KMS "Decrypt" operation outside Nitro enclave? #100

Open raindust opened 1 year ago

raindust commented 1 year ago

I have followed the kms tool example doc and decrypt the cipher text successfully, but I can decrypt it outside the Nitro enclave either if I add additional actions (including Decrypt action) within KMS policies when creating the KMS.

Is there a way that we can check if the "Decrypt" action only exists inside the enclave role (if not refuse to use the KMS)? It's important for a Byzantine Fault Tolerance program.

The following is a example KMS policy file that worked for the kms tool example doc with debug mode but can Decrypt outside the enclave:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy-3",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:role/KMS-admin"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Enable decrypt from enclave",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::000000000000:role/KMS-test"
            },
            "Action": "kms:Decrypt",
            "Resource": "*",
            "Condition": {
                "StringEqualsIgnoreCase": {
                    "kms:RecipientAttestation:ImageSha384": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
                }
            }
        },
        {
            "Sid": "Enable encrypt from instance",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::580177110170:role/KMS-test"
            },
            "Action": "kms:Encrypt",
            "Resource": "*"
        }
    ]
}
alcioa commented 1 year ago

In production mode, the enclave PCR values are in the attestation document. When using this SDK for decrypting inside the enclave, a keypair is also generated and the public part is sent to the attestation endpoint. There you have the validation based on the enclave measurements against your policy. After that, the response is encrypted and sent back and can only be decrypted by the enclave.

Even if the instance has access to the PCRs and the attestation document (which are no secret), it cannot decrypt the response that was meant for the enclave. See https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html