Leveraging Anjuna Confidential Computing Platform with AWS Nitro Enclaves on EKS

A green-toned graphic with the logos of AWS and anjuna® and the words "Confidential Computing" over a background suggesting digital security elements.
Published on
Dec 7, 2022
On November 28, 2022, AWS announces Nitro Enclaves support for AWS EKS. Anjuna is excited to help AWS customers easily deploy any container apps without change, in one command line
https://www.anjuna.io/blog/leveraging-anjuna-confidential-computing-platform-with-aws-nitro-enclaves-on-eks

On November 28, 2022, AWS announced its support for AWS Nitro Enclaves in AWS EKS for orchestrating Nitro Enclaves in Kubernetes.

This enhancement is great news for all AWS customers looking to leverage Kubernetes to orchestrate containers in a high-trust confidential compute cluster. In this blog, we’ll review the announcement and further explain how the Anjuna Confidential Computing Platform augments and streamlines the use of AWS Nitro Enclaves in EKS and EC2, making it a great fit for a wider range of workloads.

In short, Anjuna is the ideal complement to AWS Nitro Enclaves. It enables customers to use AWS Nitro Enclaves to protect their workloads with maximum security without friction, complexity, or code changes. Anjuna’s platform provides essential capabilities to take any container application or service without change and run it fully secured - with just one command line. This approach eliminates the development, complexity, and effort that would otherwise be needed to use AWS Nitro Enclaves.

What did AWS update for EKS?

AWS now provides a set of foundational components to launch an enclave inside an AWS EKS node:

  1. The ability to configure and start an EKS cluster with nodes that can launch an AWS Nitro enclave.
  2. The directions for running a Nitro Enclave from a Pod in the EKS cluster.
  3. Basic tools to manage the enclave lifecycle.

This is a great update from AWS EKS. AWS customers can now use Elastic Kubernetes Service (EKS) to orchestrate, scale, and deploy Nitro Enclaves from a Kubernetes Pod.

Even with these enhancements, customers who wish to launch and use existing applications and services in EKS need additional capabilities. This is where the AWS-Anjuna partnership comes into play.

Why Anjuna with AWS Nitro Enclaves in EKS?

Anjuna Confidential Computing Platform augments the architecture of AWS Nitro Enclaves in EKS and EC2, making it a great fit for a wider range of workloads.

Anjuna adds many important capabilities to the native AWS Nitro Enclave infrastructure for AWS EKS, including

  1. The ability to deploy and run any Kubernetes Pod inside an AWS Nitro Enclave without needing to change the application. AWS’s powerful Nitro Enclaves do not contain all the necessary subsystems to simply take any application or container and run it as-is. This includes essential networking and access to persistent storage, for example. These are not present in the native AWS Nitro Enclaves system and fundamental to any container app that needs them. In particular, any third-party, open-source, custom-built, or enterprise application using them would need to be re-architected. This is a substantial engineering effort that Anjuna completely solves out of the box. Customers can simply take containers and run them as-is - with one command line.

  2. Support for Kubernetes services for the Pod running in the enclave, such as kubectl, which every Kubernetes DevOps engineer needs. With the native AWS Nitro system, the code running in the enclave is not available to the Kubernetes services. As such, developers would need to design, test, review and deploy a solution for every Kubernetes service. kubectl get logs is just one common example, and there are many! Anjuna provides full support for the different Kubernetes services to the Pod running in the enclave transparently. This eliminates any changes or development efforts for developers and DevOps, saving time, headcount, and cost and boosting agility.

  3. Integration with AWS KMS to automatically and securely provide secrets based on the Pod measurements with attestation. A critical requirement to start an enclave is to securely distribute secrets to the applications or services in the container - for example, to decrypt data protected by a KMS key that only the AWS Nitro Enclave can process on a strict and exclusive basis. Without this, customers must build and manage this themselves to solve the “secret zero” problem. This is both a security risk given the complexity and extensive development effort. With Anjuna, the unique identity and measurements of the Pod and enclave are used to cryptographically prove its identity to AWS KMS and allow secrets to be provided to the application in the enclave on a transparent basis with no code change, avoiding significant effort, cost and speeding time to software launch.

  4. Optimized performance to ensure business workloads run at the maximum possible speed and with minimum latency. The AWS Nitro System provides a unique level of isolation and protection of workloads in it. To use AWS Nitro Enclaves, customers must commonly re-architect their applications, which can impact their application's performance. Anjuna takes care of this automatically, providing assurance that applications operate at the full processor and network bandwidth available, optimized so you don't have to. Once again, this lets your developer and DevOps teams focus on business value and getting secure bar-raising solutions to market without the heavy lifting of complex AWS Nitro Enclave network engineering.

  5. Support for EC2 out of the box. For non EKS workloads or for service or event driven applications that span infrastructure, Anjuna supports both traditional EC2 applications and EKS out of the box - one method for any service.

  6. Support for multiple clouds. Anjuna supports multi-cloud environments for customers who span them today or acquire and partner with businesses across different cloud platforms.

The Wrap

The AWS Nitro Enclave System provides customers with a compelling solution to isolate and protect workloads from advanced threats, insiders, and external attackers with new levels of security. Anjuna has partnered closely with AWS to make this powerful ecosystem easy to use - whether for classical EC2 applications and containers or scaled EKS service and event-based applications. Anjuna virtualizes and enhances underlying confidential computing cloud infrastructure, presenting standard interfaces and services for agile DevOps processes while dramatically increasing security for code and data - in use, at rest, and in motion.

Anjuna welcomes the recent AWS announcement, which aligns with our vision of making confidential computing ubiquitous on the journey to a more secure and trustworthy world.

Together, AWS and Anjuna ultimately enable customers to achieve speedy and secure transformation. By using Anjuna-enabled frictionless AWS Nitro Enclave workload deployments for bar-raising security and risk reduction, even the most sensitive and high-scale enterprise applications blocked on privacy, security, and sovereignty concerns can be safely transformed.

The solution is available in the AWS Marketplace today.

More like this
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free