AWS re:Invent 2025 - Demystify attestation: Cryptographically verify execution environment (CMP317)

Demystifying Attestation: Cryptographically Verifying Execution Environments

Overview

• Presentation on how to use cryptographic attestation to verify the execution environment and ensure only the intended code is running
• Covers techniques for confidential computing on AWS, including EC2 instances and Nitro Enclaves
• Demonstrates a sample application that leverages these capabilities to securely host and run a sensitive AI model

Confidential Computing on AWS

• Confidential computing means the AWS operators do not have access to the data or code running in the execution environment
• Achieved through a secure "box" or trusted execution environment (TEE) that isolates the workload
• Two key dimensions:
  1. AWS operators cannot access the instance data
  2. The application is isolated from the execution environment

EC2 Instance Attestation

• EC2 instances can be launched as "attestable AMIs" that generate cryptographic hashes of the boot contents
• These hashes are provided in an attestation document, which can be used to verify the instance is running the expected code
• The attestation document is integrated with AWS Key Management Service (KMS) to allow unlocking of secrets based on the verified execution environment
• Enables "lift and shift" of applications into a fully attested and validated EC2 environment

Nitro Enclaves

• Nitro Enclaves provide a separate, isolated virtual machine within an EC2 instance
• Designed for running sensitive, trusted code in isolation from the parent application
• Enclaves can only communicate with the parent via a restricted VSOCK channel
• Enclaves generate their own attestation document, proving the contents of the enclave

Sample Application

• Demonstrates a multi-party collaboration scenario where an AI model owner wants to allow customers to use the model without exposing the model weights
• The model owner encrypts and "seals" the model weights to the attestation measurements
• The customer launches an attested EC2 instance that can decrypt and use the model weights, without being able to extract them

Key Takeaways

• Cryptographic attestation allows verifying the execution environment to ensure only the expected code is running
• This enables confidential computing use cases where sensitive data or IP needs to be protected
• AWS provides integrated tools and services, like EC2 instance attestation and Nitro Enclaves, to make it easier to build these secure environments
• The sample application demonstrates how these capabilities can be used to securely host and consume a sensitive AI model

Technical Details

• Nitro stack provides the trusted execution environment, with hashes measured into TPM Platform Configuration Registers (PCRs)
• Attestation document includes AWS signature and PCR values to prove the execution environment
• KMS integration allows unlocking secrets based on the verified attestation
• Nitro Enclaves provide a separate, isolated VM with its own attestation process

Business Impact

• Confidential computing enables new use cases where sensitive data or IP needs to be protected
• Allows customers to leverage cloud services without exposing their sensitive information
• Enables AI model owners to monetize their models without risk of IP theft or data leakage
• Broader applicability beyond AI, such as any multi-party collaboration scenario involving sensitive data or code

Examples

• AI model owner wants to allow customers to use their model without exposing the model weights
• Enterprise wants to run a sensitive workload in the cloud without giving cloud provider access to the data
• Independent software vendor wants to offer a service based on their proprietary algorithms without risk of reverse engineering