How to make attested calls to Amazon KMS

To make an attested call to Amazon KMS, use the Recipient parameter in the request to provide the signed attestation document and the encryption algorithm to use with the public key in the attestation document. When a request includes the Recipient parameter with a signed attestation document, the response includes a CiphertextForRecipient field with the ciphertext encrypted by the public key. The plaintext field is null or empty.

The Recipient parameter must specify a signed attestation document from an Amazon Nitro Enclaves or Amazon NitroTPM. Amazon KMS relies on the digital signature for the attestation document to prove that the public key in the request came from a valid source. You cannot supply your own certificate to digitally sign the attestation document.

The Amazon Nitro Enclaves SDK, which is supported only within a Nitro enclave, automatically adds the Recipient parameter and its values to every Amazon KMS request.

To make attested requests in the Amazon SDKs, you have to specify the Recipient parameter and its values. The attestation document can be retrieved from the NitroTPM using the nitro-tpm-attest utility or from the Nitro Secure Module (NSM) using the NSM API.

Amazon KMS supports policy condition keys that you can use to allow or deny attested operations with an Amazon KMS key based on the content of the attestation document. You can also monitor attested requests to Amazon KMS in your Amazon CloudTrail logs.

For detailed information about the Recipient parameter and the AWS CiphertextForRecipient response field, see the Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, and GenerateRandom topics in the Amazon Key Management Service API Reference, the Amazon Nitro Enclaves SDK, or any Amazon SDK. For information about setting up your data and data keys for encryption, see Using cryptographic attestation with Amazon KMS.