1
00:00:00,000 --> 00:00:02,460
‫So now let's talk about Nitro Enclaves.

2
00:00:02,460 --> 00:00:04,680
‫So the idea is that sometimes in the cloud

3
00:00:04,680 --> 00:00:07,230
‫you wanna process highly sensitive data,

4
00:00:07,230 --> 00:00:10,470
‫and you wanna process it in an isolated compute environment.

5
00:00:10,470 --> 00:00:13,410
‫So the sensitive data may be, for example, PII data,

6
00:00:13,410 --> 00:00:17,280
‫so personally identifiable information, or healthcare data,

7
00:00:17,280 --> 00:00:20,220
‫financial data, credit card data, whatever you want.

8
00:00:20,220 --> 00:00:22,860
‫And historically, if you wanted to create

9
00:00:22,860 --> 00:00:25,020
‫this very isolated compute environment,

10
00:00:25,020 --> 00:00:27,930
‫you would create a new VPC, you would restrict access to it,

11
00:00:27,930 --> 00:00:29,610
‫you would restrict the networking, and so on,

12
00:00:29,610 --> 00:00:30,960
‫and that would be cumbersome.

13
00:00:30,960 --> 00:00:34,020
‫So instead, what you can use is Nitro Enclaves.

14
00:00:34,020 --> 00:00:35,820
‫Nitro Enclaves are virtual machines

15
00:00:35,820 --> 00:00:37,560
‫that are super isolated.

16
00:00:37,560 --> 00:00:39,690
‫They're hardened and they're highly constrained.

17
00:00:39,690 --> 00:00:42,870
‫So it's not a container, it doesn't have persistent storage,

18
00:00:42,870 --> 00:00:46,020
‫it doesn't have interactive access, you cannot SSH into it.

19
00:00:46,020 --> 00:00:47,310
‫There's no external networking.

20
00:00:47,310 --> 00:00:49,560
‫So it's really, really contained.

21
00:00:49,560 --> 00:00:51,690
‫And the idea is that this is where you want

22
00:00:51,690 --> 00:00:53,850
‫to do your data processing.

23
00:00:53,850 --> 00:00:55,680
‫So by creating a Nitro Enclave

24
00:00:55,680 --> 00:00:57,930
‫you're going to reduce the attack surface

25
00:00:57,930 --> 00:01:00,510
‫for very sensitive data processing apps.

26
00:01:00,510 --> 00:01:02,670
‫On top of it, you can make sure that,

27
00:01:02,670 --> 00:01:05,010
‫thanks to Cryptographic Attestation,

28
00:01:05,010 --> 00:01:08,550
‫only authorized code can be running in your Enclave,

29
00:01:08,550 --> 00:01:09,930
‫and you would sign the code

30
00:01:09,930 --> 00:01:12,810
‫and then only the sign code can be running in your Enclave.

31
00:01:12,810 --> 00:01:14,550
‫And on top of it, you can guarantee,

32
00:01:14,550 --> 00:01:16,020
‫thanks to KMS encryption,

33
00:01:16,020 --> 00:01:19,860
‫that only the Enclaves can access your sensitive data.

34
00:01:19,860 --> 00:01:21,900
‫So the use cases for Nitro Enclaves is

35
00:01:21,900 --> 00:01:24,960
‫whenever you want to do private key processing,

36
00:01:24,960 --> 00:01:26,490
‫processing credit cards,

37
00:01:26,490 --> 00:01:29,400
‫or secure multi-party computation, and so on.

38
00:01:29,400 --> 00:01:33,120
‫So this gives you a highest level amount of security on EC2.

39
00:01:33,120 --> 00:01:34,170
‫So how does that work?

40
00:01:34,170 --> 00:01:35,280
‫Well, you're going to launch

41
00:01:35,280 --> 00:01:38,160
‫a compatible Nitro-based EC2 instance,

42
00:01:38,160 --> 00:01:41,700
‫and you're going to set the 'EnclaveOptions' to 'true'

43
00:01:41,700 --> 00:01:44,040
‫which will allow you to launch

44
00:01:44,040 --> 00:01:47,340
‫from within the EC2 instance, a Nitro Enclave.

45
00:01:47,340 --> 00:01:49,350
‫Then you use a Nitro CLI to convert your app

46
00:01:49,350 --> 00:01:52,050
‫into an Enclave image file, EIF.

47
00:01:52,050 --> 00:01:55,650
‫And then you use this as an input with the Nitro CLI

48
00:01:55,650 --> 00:01:58,500
‫to create an Enclave on your EC2 instance

49
00:01:58,500 --> 00:02:02,400
‫and it will share the VP, the memory, the CPU,

50
00:02:02,400 --> 00:02:03,600
‫and the kernel with the host

51
00:02:03,600 --> 00:02:06,840
‫but it will be very, very isolated within.

52
00:02:06,840 --> 00:02:09,210
‫So if you consider EC2 Hosts on AWS

53
00:02:09,210 --> 00:02:10,920
‫that is running on the Nitro Hypervisor.

54
00:02:10,920 --> 00:02:12,150
‫This is why it's called Nitro Enclave,

55
00:02:12,150 --> 00:02:15,000
‫is because it leverages the Nitro Hypervisor.

56
00:02:15,000 --> 00:02:19,290
‫Then EC2 instance has separation from your Enclave.

57
00:02:19,290 --> 00:02:22,590
‫They can just communicate over a secure local channel,

58
00:02:22,590 --> 00:02:23,610
‫but that's it.

59
00:02:23,610 --> 00:02:25,710
‫And then there will be of course separation

60
00:02:25,710 --> 00:02:28,590
‫from any other instance running on the same host,

61
00:02:28,590 --> 00:02:29,550
‫but you have the guarantee

62
00:02:29,550 --> 00:02:30,930
‫that the Enclave is going to be

63
00:02:30,930 --> 00:02:32,610
‫as secure as I told you before,

64
00:02:32,610 --> 00:02:34,830
‫with a lot of restrictions on it.

65
00:02:34,830 --> 00:02:35,663
‫That's it.

66
00:02:35,663 --> 00:02:36,930
‫You just need to know this concept at a high level.

67
00:02:36,930 --> 00:02:38,160
‫But I hope you liked it,

68
00:02:38,160 --> 00:02:40,113
‫and I will see you in the next lecture.