I’d like to host an app that uses a database connection in an AWS Nitro enclave.
I understand that the Nitro enclave doesn’t have access to a network or persistent storage, and the only way that it can communicate with its parent instance is through the vsock.
There are some examples showing how to configure a connection from the enclave to an external url through a secure channel using the vsock and vsock proxy, but the examples focus on AWS KMS operations.
I’d like to know if it’s possible to configure the secure channel through the vsock and vsock proxy to connect to a database like postgres/mysql etc…
If this is indeed possible, are there perhaps some example cofigurations somewhere?
2
Answers
I would recommend looking into Anjuna Security’s offering: https://www.anjuna.io/amazon-nitro-enclaves
Outside of using Anjuna, you could look into the AWS Nitro SDK and use that to build a networking stack to utilize the vsock or modify an existing sample.
Nitrogen is an easy solution for this, and it’s completely open source (disclosure I’m one of the contributors to Nitrogen).
You can see an example configuration for deploying Redis to a Nitro Enclave here.
And a more detailed blog post walkthrough of deploying any Docker container to a Nitro Enclave here.
Nitrogen is a command line tool with three main commands:
You can setup, build, and deploy any Dockerfile in a few minutes to your own AWS account.