Inferensys

Glossary

AWS Nitro Enclaves

An isolated compute environment on Amazon EC2 instances that provides a hardened and highly constrained environment for processing sensitive data, with no persistent storage or external network access by default.
Developer building agentic RAG system, retrieval pipeline diagram on laptop, technical workspace with notes.
ISOLATED COMPUTE ENVIRONMENT

What is AWS Nitro Enclaves?

An isolated compute environment on Amazon EC2 instances that provides a hardened and highly constrained environment for processing sensitive data, with no persistent storage or external network access by default.

AWS Nitro Enclaves is a hardened, isolated compute environment carved out of an Amazon EC2 instance, designed to securely process highly sensitive data such as personally identifiable information (PII) or proprietary machine learning models. Built on the Nitro Hypervisor, an enclave provides a Trusted Execution Environment (TEE) with no persistent storage, no interactive access, and no external networking by default, dramatically reducing the attack surface.

The enclave's security posture is established through cryptographic attestation, generating a signed document that proves its identity and the exact code running inside it to a relying party. Communication with the parent instance occurs exclusively over a local virtual socket (vsock), enabling a split architecture where the untrusted application handles network I/O while the enclave performs computation on plaintext data in a protected memory region isolated from the host OS.

CONFIDENTIAL COMPUTING PRIMITIVES

Key Features of AWS Nitro Enclaves

AWS Nitro Enclaves provide a hardened, isolated compute environment for processing highly sensitive data, with no persistent storage, no interactive access, and no external network access by default.

01

Hardware-Backed Isolation

An enclave is a separate virtual machine with its own kernel, memory, and CPU cores, carved out of a parent EC2 instance. The Nitro Hypervisor enforces strict isolation, ensuring no process on the parent instance—not even an administrator with root access—can read the enclave's memory or code. This creates a hardware-rooted trust boundary that is significantly smaller and more auditable than the full instance.

Dedicated vCPUs
Resource Isolation
No Persistent Storage
Ephemeral by Design
02

Cryptographic Attestation

Before an external service sends sensitive data to an enclave, it must verify the enclave's identity. The Nitro Secure Module (NSM) generates a cryptographically signed attestation document containing:

  • A hash of the enclave image (proof of code identity)
  • The enclave's public key
  • Platform configuration registers (PCRs) This allows a relying party to establish a hardware-rooted chain of trust and ensure only authorized code processes their data.
03

VSOCK Communication Channel

Enclaves have no external network interfaces. The only communication channel is a local VSOCK socket to the parent instance. This forces a secure proxy architecture:

  • The parent instance acts as a network proxy, filtering and forwarding traffic
  • The enclave never sees a raw network packet
  • All ingress/egress is explicitly controlled by the parent's application logic This design eliminates entire classes of remote network attacks against the enclave itself.
04

Cryptographic Sealing

Since enclaves have no persistent storage, any state that must survive a restart must be encrypted and stored externally. Sealing binds encrypted data to the specific enclave identity and platform:

  • Data encrypted by an enclave can only be decrypted by the exact same enclave on the same hardware
  • Prevents replay attacks and cross-platform data theft
  • Enables secure state persistence without trusting the parent instance's filesystem
05

Minimal Trusted Computing Base (TCB)

The TCB of a Nitro Enclave is dramatically smaller than a full Linux instance. It includes only:

  • The Nitro Hypervisor (a lightweight, formally verified component)
  • The enclave's minimal kernel and application
  • The NSM for attestation Excluded from the TCB: the parent OS, AWS operators, the host hypervisor, and all management software. This radical reduction in attack surface is the core value proposition for regulated workloads.
AWS NITRO ENCLAVES

Frequently Asked Questions

Clear, technically precise answers to the most common questions about AWS Nitro Enclaves, their architecture, and their role in confidential computing.

An AWS Nitro Enclave is an isolated, hardened, and highly constrained virtual machine with no persistent storage, no interactive access, and no external networking. It is logically and cryptographically separated from its parent EC2 instance. The enclave runs on the same Nitro System hardware but in a separate, dedicated slice of CPU and memory. The only communication channel between the parent instance and the enclave is a local virtual socket (vsock), which provides a simple, authenticated, and high-throughput interface. This architecture ensures that even a root-level compromise of the parent instance or the hypervisor cannot access the sensitive data or code processing inside the enclave, providing strong data-in-use protection.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.