Security¶

This application employs Hybrid Public Key Encryption (HPKE) [RFC-9180] to encrypt data using DHKEM(P-384, HKDF-SHA384), HKDF-SHA384, AES-256-GCM.

Encryption of data is handled by hpke-py in the API.
Decryption of data is handled by rustls that uses AWS-LC for cryptographic operations (through aws-lc-rs) in the enclave.

HPKE Encryption

Best Practices¶

Data Perimeters¶

This solution implements the recommended practices for resource based policies and VPC endpoint policies to ensure only trusted identities can access the trusted resources from expected networks.

Permissions Boundaries¶

This solution deploys an IAM permissions boundary policy on all provisioned IAM roles to prevent priviledge escalation if an attacker were able to escalate privileges on the role.

Code Signing¶

All deployed Lambda functions have their code signed with AWS Signer to prevent modifications to the Lambda code after deployment.

DNS Firewall¶

An optional Route 53 Resolver DNS Firewall is configured by default to only allow DNS queries to *.amazonaws.com and the domain for the internal Network Load Balancer.

Identity Canaries¶

Two additional Lambda functions are deployed, one attached to the same VPC as the API Lambda function, and one not attached to any VPCs, that execute every minute attempting to calling kms:Decrypt against the first encrypted secret key found in DynamoDB. If the KMS key policy is inadvertantly modified to where the KMS Decrypt call succeeds, then a CloudWatch Alarm will be triggered.

Threat Model¶

To view the threat model, you can use threat-composer to load NitroVault_ThreatComposer.json