Support for KMS Attestation when running inside Nitro Enclave

[sudhirj]

Problem:

We're running code inside Nitro Enclaves that needs to encrypt and decrypt very sensitive data, and would like to use the Encryption SDK. To make sure that KMS only services signed code running inside the Enclave, we use attestation rules as described in https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html

From what we can see the AWS Encryption SDK does not support attestation yet, so KMS requests will fail when running inside the Enclave, even if the vsock-proxy is configured to forward KMS requests.

Solution:

Implement support for calling KMS with attestation, as seen in https://github.com/aws/aws-nitro-enclaves-sdk-c/tree/main/source

Or if this is already supported a note stating that, along with vsock-proxy requirement notes would be very helpful.

Out of scope:

GenerateDataKey and Decrypt seem to be the biggest candidates to add this for, might not need to bother with any other operations.

[ajewellamz]

Thank you for reaching out.

While supporting attestations in the AWS Encryption SDK is a good enhancement feature, it’s currently not on our roadmap.”