Anjuna Adds Support for Multi-Enclave Instances with AWS Nitro Enclaves for Greater Scalability and Efficiency

Ofir Azoulay-Rozanes
Director of Product Management
Published on
Jun 13, 2023
We are excited to announce that Anjuna Confidential Computing Platform now supports multi-enclave instances on AWS Nitro Enclaves.

We are thrilled to announce support for multi-enclave instances with AWS Nitro Enclaves. This enhancement brings great news to all Anjuna customers who want to efficiently utilize AWS Nitro Enclaves at scale for their confidential computing environments. 

Before delving into the details of this new capability, let's begin by explaining how Anjuna enhances and simplifies the use of AWS Nitro Enclaves.

Anjuna Simplifies and Strengthens AWS Nitro Enclaves

AWS Nitro Enclaves is a feature of Amazon EC2 instances that enables the creation of hardware-assisted, fully isolated execution environments for securely processing highly sensitive data. Even the root user or an admin user on the instance cannot access running code and data, cannot dump memory, and cannot SSH into the enclave. Nitro Enclaves are separate and hardened virtual machines that rely on a secure local socket to connect to a parent EC2 instance. While Nitro Enclaves provide the building blocks for creating a highly secure environment, they lack persistent storage and external networking out of the box. As a result, operationalizing them at enterprise scale requires significant engineering effort. 

Anjuna Confidential Computing Platform serves as an "easy button" software that eliminates the complexity of building, deploying, and running workloads on AWS Nitro Enclaves, while delivering its full security capabilities to enterprise applications.

If you don’t want to use a building block and build everything by yourself, Anjuna can speed this up for you, reducing your time to market. They have a solution that can help move it faster than yourself building it.”  – Arvind Raghu, AWS Principal Specialist EC2 Confidential Computing

By using Anjuna with AWS Nitro Enclaves, you can experience the following benefits:

  • Secure any application: Safeguard applications running on EC2 and managed by K8s EKS using Anjuna Confidential Containers. Complete cloud transformation projects with confidence in data privacy.
  • Deploy in minutes: Deploying the Anjuna Confidential Runtime abstracts the operational requirements of the secure enclave, providing the application with a lightweight Linux operating system. This means existing applications can run without modifications, eliminating the need for refactoring or re-engineering. This significantly accelerates time to market.
  • Protect data in all states: While AWS Nitro Enclaves protect data in use, they do not provide access to persistent storage or network connectivity. The Anjuna Confidential Runtime addresses this by offering out-of-the-box secure access and control over at-rest and in-transit encryption from within the enclave, ensuring end-to-end protection.
  • Provide a higher level of trust: Anjuna integrates seamlessly with AWS KMS, providing built-in support for cryptographic attestation. This allows you to verify an enclave's identity and ensure that only authorized code is running inside it. Integration with KMS also facilitates the secure distribution of secrets and sensitive configuration data to boot applications within enclaves without risk of hardcoding or persisting first secrets that become targets of attack in traditional computing.

Multi-Enclave Instances Improve Scalability of Confidential Computing  

Now, let's explore the latest addition to the AWS Confidential Computing offering. Until recently, AWS only supported a single Nitro Enclave per EC2 parent instance. While this architecture was a very powerful way to protect sensitive workloads, it posed challenges when scaling the number of protected applications while keeping infrastructure costs in check. Each time you protected a new application inside a secure enclave, your infrastructure footprint increased with a new EC2 VM for the parent instance. 

This had an impact on the density of application clusters managed by Kubernetes on AWS EKS. Such clusters typically consist of EC2 instances hosting multiple containers that dynamically scale to provide cloud elasticity. Maintaining a one-to-one ratio of confidential EKS node (the parent instance) to confidential EKS Pod (the enclave-protected Pod) resulted in higher costs associated with confidential EKS nodes for applications that didn't fit into the single VM per enclave model.

To address this limitation, AWS released an economically powerful enhancement that allows you to run up to four Nitro Enclaves per EC2 VM. As the ideal complementary solution to streamline Nitro Enclaves deployments, the Anjuna Confidential Computing Platform now supports this configuration, reducing up to ~40% of total EC2 instances utilized in the architecture.

With this new feature and our integration with AWS EKS, confidential Kubernetes clusters can now benefit from inherently secure infrastructure and significantly enhanced cloud elasticity. Here are the key advantages of running confidential K8s Pods with Anjuna:

  • Seamless deployment orchestration: You can effortlessly orchestrate the deployment of any EKS Pod within an AWS Nitro Enclave, without requiring any modifications to the application itself. This streamlined process eliminates the need for complex reconfigurations.
  • Out-of-the-box support for core K8s services: Anjuna provides comprehensive support for core K8s services specifically designed for confidential Pods. This includes essential tools like kubectl, which are typically unavailable when using native enclaves. With Anjuna, you can fully leverage these services without any additional setup.

Anjuna has forged a strong partnership with AWS to ensure the ease of use and accessibility of the Nitro Enclaves system. Together, we aim to remove barriers for security and privacy-conscious enterprises, empowering them to embark on their cloud transformation journeys confidently. With the introduction of this new feature, we are another step closer to making confidential computing a ubiquitous reality, solidifying the enterprise cloud journey.

You can find the Anjuna Platform readily available in the AWS Marketplace today. To dive deeper into its capabilities and witness Anjuna in action, we invite you to watch our live demo. It's an excellent opportunity to gain a comprehensive understanding of how Anjuna can transform your confidential computing experience.

More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free