Architecture¶
This solution has three components:
API Tier¶
- Amazon API Gateway is the initial entrypoint into the vault. API Gateway supports both private configurations accessible only from within a VPC, or public access by integrating with an authentication solution such as Amazon Cognito (Note: this use case is not supported by this sample).
- AWS Lambda function written in Python and uses the Powertools for AWS Lambda library to serve the API endpoints. The Lambda function uses Amazon DynamoDB for persistance of metadata and an audit log of vault operations.
- Amazon DynamoDB table to persist the vault metadata (public key, encrypted secret key, encrypted attributes) and audit log.
Decryption Tier¶
- Amazon EC2 instances are launched in an Amazon EC2 Auto Scaling group using launch templates.
- Network Load Balancer (NLB) is configured to pass-through encrypted TLS (port 443) traffic to the EC2 instances (the NLB is not terminating TLS)
- NGINX is used as the web server listening on port 443 and terminates TLS connections for the parent application.
- AWS Certificate Manager and the AWS Certificate Manager for Nitro Enclaves reference application are used to automatically provision certificates for NGINX and secures the private key inside an enclave.
- Vsock Proxy implements a proxy server that runs on the parent instance and forwards vsock traffic from an enclave to the AWS Key Management Service.
- Parent Application written in Rust that retrieves IAM credentials from the EC2 instance (using IMDSv2) and forwards the decryption request to the enclave over a vsock connection and then sends the response back to the caller (the Lambda function).
Enclave Tier¶
Runs within a Nitro Enclave on an EC2 instance.
- kmstool-enclave-cli is used to decrypt the secret key using AWS KMS with the IAM credentials included in the request.
- Enclave Application written in Rust that decrypts the secret key in the request, then decrypts each encrypted attribute that was provided in the request. Attributes can be transformed using the Common Expression Language (CEL).