A cloud server with no network, no persistent storage, and no user access – what is AWS thinking?

AWS has introduced a new variant of its EC2 IaaS service that offers no external network connectivity, no persistent storage, and no user access – not even a root user or an admin user on the instance can access or SSH into the instance.

No, AWS hasn’t lost its marbles: the new offer is called “Nitro Enclaves” and is intended to offer a safe place in which to process confidential data.

As the cloud colossus’s Jeff Barr explained, enclaves are offered for users who want more than the security and isolation available in a virtual private cloud.

While enclaves can still run on hardware shared with other EC2 instances, they get an independent kernel and exclusive access to memory and CPU resources. They also connect to a “parent” EC2 instance that connects to the enclave over a virtual socket. That socket is the only way data gets in or out.

Enclaves are a new use of the “Nitro” hypervisor that AWS introduced in 2017. Barr explained its role as follows:

Barr also said: “All data flowing into and out of an enclave moves across a local virtual socket (vsock) connection that terminates on the EC2 instance.”

Enclaves are available on any instance that runs Nitro, which currently includes the M5, C5, R5, T3, I3, A1, P3dn, z1d, and High Memory instance type. You’ll also need an AMI that runs a new CLI dedicated to spawning enclaves, which you can find on GitHub.

And they don’t cost any more than any other EC2 instance.

For now, AWS will let you drive one enclave from an EC2 instance, but the company plans to support multiple enclaves “in the future”. ®

Leave a Reply

Your email address will not be published. Required fields are marked *