AWS Nitro Enclave Socket Connection to Database

Question

I'd like to host an app that uses a database connection in an AWS Nitro enclave.

I understand that the Nitro enclave doesn't have access to a network or persistent storage, and the only way that it can communicate with its parent instance is through the vsock.

There are some examples showing how to configure a connection from the enclave to an external url through a secure channel using the vsock and vsock proxy, but the examples focus on AWS KMS operations.

I'd like to know if it's possible to configure the secure channel through the vsock and vsock proxy to connect to a database like postgres/mysql etc...

If this is indeed possible, are there perhaps some example cofigurations somewhere?

Answer 1

Nitrogen is an easy solution for this, and it's completely open source (disclosure I'm one of the contributors to Nitrogen).

You can see an example configuration for deploying Redis to a Nitro Enclave here.

And a more detailed blog post walkthrough of deploying any Docker container to a Nitro Enclave here.

Nitrogen is a command line tool with three main commands:

1. Setup - Spawn an EC2 instance, configure SSH, and establish a VSOCK proxy for interacting with the Nitro Enclave.
2. Build - Create a Docker image from an arbitrary Dockerfile, and convert it to the Enclave Image File (EIF) format expected by Nitro.
3. Upload your EIF and launch it as a Nitro Enclave. You receive a hostname and port which is ready to proxy enclave requests to your service.

You can setup, build, and deploy any Dockerfile in a few minutes to your own AWS account.

Answer 2

I would recommend looking into Anjuna Security's offering: https://www.anjuna.io/amazon-nitro-enclaves

Outside of using Anjuna, you could look into the AWS Nitro SDK and use that to build a networking stack to utilize the vsock or modify an existing sample.