AWS users can finally use Nitro Enclaves on Arm Graviton EC2 instances
Just don't forget Enclave data is held in memory and costs can ramp when processing digital reams
AWS has updated its Nitro Enclaves feature for confidential computing so users can now operate it on Arm-based Graviton EC2 instances.
The move means it is supported on the majority of Intel, AMD, and Arm-based EC2 instances that use the cloudy giant's Nitro technology.
Nitro Enclaves were first introduced a couple of years ago as a way for AWS users to create a secure space in which to process sensitive data such as financial details or intellectual property in the cloud. It is basically an implementation of a Trusted Execution Environment (TEE), like Intel's SGX technology, but overseen by the AWS Nitro System.
For isolation, each enclave runs with an independent kernel and exclusive memory and CPU resources. Enclaves have no external network connection and no persistent storage, and all communication between an enclave and the parent EC2 instance that created it is via a virtual socket (vsock) connection.
According to AWS, customers familiar with the price and performance of Arm-based Graviton instances (which run on AWS's in-house designed processor silicon) can now build and operate secure enclaves on Graviton-based instances.
- AWS buys 100+ diesel generators... and that's just for Irish datacenters
- AWS Snowball edge compute capacity snowballs beyond 100 vCPUs, 400GB of memory
- AWS targets desktop virtualization rigs with lift and shift to cloudy DaaS
- Amazon lets you rent Ubuntu Pro. Yes, it's Linux on the virtual desktop
There are no additional charges for using Nitro Enclaves other than the EC2 instances used, along with any other AWS services that are used with Nitro Enclaves. Each enclave is treated as a separate virtual machine, attached to a parent EC2 instance that runs the customer's application.
AWS made available EC2 instances based on its latest Graviton3 silicon earlier this year. As The Register reported at the time, these cost less for customers to operate than comparable x86 instances, and AWS claims they provide up to 25 percent better compute performance and faster cryptographic workload speeds compared to those based on the earlier Graviton2 chips.
There are downsides to Nitro Enclaves, of course – all the Enclave data is held in memory, which could potentially lead to high memory costs if you need to process large chunks of information in one go.
Nitro Enclaves is supported with the following Graviton-based instance types; C7g, C6g, C6gd, C6gn, M6g, M6gd, R6g, R6gd, and X2gd. AWS said thatmore supported instance types are coming soon. ®