Cryptographic attestation support in Amazon KMS - Amazon Key Management Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Cryptographic attestation support in Amazon KMS

Amazon KMS supports cryptographic attestation for Amazon Nitro Enclaves and Amazon NitroTPM. Applications that support these attestation methods call the following Amazon KMS cryptographic operations with a signed attestation document. Amazon KMS verifies that the attestation document came from a valid source (either a Nitro enclave or NitroTPM). Then, instead of returning plaintext data in the response, these APIs encrypt the plaintext with the public key from the attestation document and return ciphertext that can be decrypted only by the corresponding private key in the enclave or EC2 instance.

The following table shows how the response to attested requests differs from the standard response for each API operation.

Amazon KMS operation Standard response Response for attested requests
Decrypt Returns plaintext data Returns the plaintext data encrypted by the public key from the attestation document
DeriveSharedSecret Returns raw shared secret Returns the raw shared secret encrypted by the public key from the attestation document
GenerateDataKey Returns a plaintext copy of the data key

(Also returns a copy of the data key encrypted by a KMS key)

 Returns a copy of the data key encrypted by the public key from the attestation document

(Also returns a copy of the data key encrypted by a KMS key)
GenerateDataKeyPair Returns a plaintext copy of the private key

(Also returns the public key and a copy of the private key encrypted by a KMS key)

 Returns a copy of the private key encrypted by the public key from the attestation document

(Also returns the public key and a copy of the private key encrypted by a KMS key)
GenerateRandom Returns a random byte string Returns the random byte string encrypted by the public key from the attestation document

Amazon KMS supports policy condition keys that you can use to allow or deny attested operations with an Amazon KMS key based on the content of the attestation document. You can also monitor attested requests to Amazon KMS in your Amazon CloudTrail logs.

Learn more