How to call AWS KMS APIs for a Nitro enclave

To call AWS KMS APIs for a Nitro enclave, use the Recipient parameter in the request to provide the signed attestation document for the enclave and the encryption algorithm to use with the enclave's public key. When a request includes the Recipient parameter with a signed attestation document, the response includes a CiphertextForRecipient field with the ciphertext encrypted by the public key. The plaintext field is null or empty.

The Recipient parameter must specify a signed attestation document from an AWS Nitro enclave. AWS KMS relies on the digital signature for the enclave’s attestation document to prove that the public key in the request came from a valid enclave. You cannot supply your own certificate to digitally sign the attestation document.

To specify the Recipient parameter, use the AWS Nitro Enclaves SDK or any AWS SDK. The AWS Nitro Enclaves SDK, which is supported only within a Nitro enclave, automatically adds the Recipient parameter and its values to every AWS KMS request. To make requests for Nitro enclaves in the AWS SDKs, you have to specify the Recipient parameter and its values. Support for Nitro enclave cryptographic attestation in the AWS SDKs was introduced in March 2023.

AWS KMS supports policy condition keys that you can use to allow or deny enclave operations with an AWS KMS key based on the content of the attestation document. You can also monitor requests to AWS KMS for your Nitro enclave in your AWS CloudTrail logs.

For detailed information about the Recipient parameter and the AWS CiphertextForRecipient response field, see the Decrypt, DeriveSharedSecret, GenerateDataKey, GenerateDataKeyPair, and GenerateRandom topics in the AWS Key Management Service API Reference, the AWS Nitro Enclaves SDK, or any AWS SDK. For information about setting up your data and data keys for encryption, see Using cryptographic attestation with AWS KMS.