Description
Problem:
We're running code inside Nitro Enclaves that needs to encrypt and decrypt very sensitive data, and would like to use the Encryption SDK. To make sure that KMS only services signed code running inside the Enclave, we use attestation rules as described in https://docs.aws.amazon.com/enclaves/latest/user/set-up-attestation.html
From what we can see the AWS Encryption SDK does not support attestation yet, so KMS requests will fail when running inside the Enclave, even if the vsock-proxy is configured to forward KMS requests.
Solution:
Implement support for calling KMS with attestation, as seen in https://github.com/aws/aws-nitro-enclaves-sdk-c/tree/main/source
Or if this is already supported a note stating that, along with vsock-proxy requirement notes would be very helpful.
Out of scope:
GenerateDataKey and Decrypt seem to be the biggest candidates to add this for, might not need to bother with any other operations.