Integrating with Amazon KMS - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Integrating with Amazon KMS

Your instance should have an application that can make Amazon KMS API requests with the Attestation Document retrieved from the NitroTPM. When you make a request with an Attestation Document, Amazon KMS validates the measurements in the provided Attestation Document against the reference measurements in the KMS key policy. Requests are allowed only if the measurements in the Attestation Document match the reference measurements in the KMS key policy.

When you call the Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, or GenerateRandom API operations with an Attestation Document, these APIs encrypt the plaintext in the response under the public key from the Attestation Document, and return ciphertext instead of plaintext. This ciphertext can be decrypted only by using the matching private key that was generated in the instance.

For more information, see the Cryptographic attestation for NitroTPM in the Amazon Key Management Service Developer Guide.

Note

If you are attesting to a third-party service, you must build your own custom mechanisms for receiving, parsing, and validating Attestation Documents. For more information, see Validate a NitroTPM Attestation Document.