implementing-aws-nitro-enclave-security

Featured

Implements AWS Nitro Enclave-based confidential computing environments with cryptographic attestation, KMS policy integration using PCR-based condition keys, and secure vsock communication channels. The practitioner builds enclave images, configures attestation-aware KMS policies, validates attestation documents against the AWS Nitro PKI root of trust, and establishes isolated computation pipelines for processing sensitive data such as PII, cryptographic keys, and healthcare records. Activates for requests involving Nitro Enclave setup, enclave attestation validation, confidential computing on AWS, or KMS enclave policy configuration.

AI & Automation 13,115 stars 1533 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Implementing AWS Nitro Enclave Security ## When to Use - Processing sensitive data (PII, PHI, financial records, cryptographic secrets) that must be isolated from EC2 instance operators and administrators - Building confidential computing pipelines where even root-level access on the parent instance cannot read enclave memory or state - Implementing cryptographic attestation workflows that tie KMS decryption rights to a specific, verified enclave image hash - Deploying multi-party computation environments where two or more enclaves authenticate each other via attestation before exchanging data - Hardening existing workloads that currently decrypt secrets on the parent instance by migrating decryption into an enclave boundary **Do not use** when the workload does not handle sensitive data that requires hardware-level isolation, when the instance type does not support Nitro Enclaves (requires Nitro-based instances with at least 4 vCPUs), or when latency constraints make the vsock communication overhead unacceptable. ## Prerequisites - An AWS account with permissions to launch Nitro-capable EC2 instances (m5.xlarge or larger, C5, R5, M6i families) - AWS CLI v2 and the `nitro-cli` toolset installed on the parent EC2 instance (Amazon Linux 2 or AL2023) - Docker installed on the parent instance for building enclave image files (EIF) - An AWS KMS symmetric key with key policy permissions for the enclave's IAM role - The `aws-nitro-enclaves-sdk-c` or Python `aws-encryption-sdk...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

implementing-envelope-encryption-with-aws-kms

Envelope encryption is a strategy where data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a master key (KEK) managed by AWS KMS. This approach allows encrypting

13,115 Updated today
mukul975
DevOps & Infrastructure Solid

aws-cloudformation-security

Provides AWS CloudFormation patterns for security infrastructure including KMS encryption, Secrets Manager, IAM security, VPC security, ACM certificates, parameter security, outputs, and secure cross-stack references. Use when implementing security best practices, encrypting data, managing secrets, applying least privilege IAM policies, securing VPC configurations, managing TLS/SSL certificates, and implementing defense in depth strategies.

263 Updated 1 weeks ago
giuseppe-trisciuoglio
AI & Automation Featured

implementing-privileged-access-management-with-cyberark

Deploy CyberArk Privileged Access Management to discover, vault, rotate, and monitor privileged credentials across enterprise infrastructure. This skill covers vault architecture, session isolation, c

13,115 Updated today
mukul975
AI & Automation Featured

implementing-hashicorp-vault-dynamic-secrets

Implements HashiCorp Vault dynamic secrets engines for database credentials, AWS IAM keys, and PKI certificates with automatic generation, lease management, and credential rotation to eliminate static secrets in application configurations. Activates for requests involving Vault secrets engine configuration, dynamic database credentials, ephemeral cloud credentials, or automated secret rotation.

13,115 Updated today
mukul975
AI & Automation Solid

embedded-crypto

Embedded cryptographic operations and secure element integration. Expert skill for hardware crypto accelerators, secure key storage, TrustZone configuration, and side-channel attack mitigation.

1,160 Updated today
a5c-ai