AWS發佈Nitro Enclave，可獨立於EC2環境處理保密數據

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AWS最近發佈可以獨立於EC2環境處理保密數據的Nitro Enclave。基於輕量級Linux操作系統的Nitro Enclave是一種經過強化和驗證的高度受限的虛擬機。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"新的服務沒有使用持久存儲，沒有使用管理員訪問權限，並創建了一個額外的隔離，以進一步保護EC2實例中的高敏感數據，並減少敏感數據的受攻擊面積。AWS首席佈道官Jeff Barr描述了主要的用例："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"text","text":"金融服務、國防、媒體和娛樂以及生命科學等各業的AWS客戶通常會在AWS上處理高敏感數據，他們需要保護它們免受來自內部和外部的威脅，需要處理複雜的情況，包括多個相互不信任的合作伙伴、供應商、客戶和員工。如今，他們使用VPC創建高度隔離的環境，這些環境具有受控的有限連接，只能由一組受限制的用戶訪問。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"客戶可以使用這個新功能將數據從更大的通用操作系統環境中分離到獨立的執行環境中。AWS並不是唯一提供受保護虛擬機的雲供應商：Azure也提供了基於硬件的"},{"type":"link","attrs":{"href":"https:\/\/azure.microsoft.com\/en-us\/solutions\/confidential-compute\/","title":"","type":null},"content":[{"type":"text","text":"可信任執行環境"}]},{"type":"text","text":"(TEE)，而谷歌雲最近也宣佈了其"},{"type":"link","attrs":{"href":"https:\/\/cloud.google.com\/blog\/products\/identity-security\/introducing-google-cloud-confidential-computing-with-confidential-vms","title":"","type":null},"content":[{"type":"text","text":"保密虛擬機特性"}]},{"type":"text","text":"。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GrowthOps雲工程師及AWS社區開發者Richard Fan寫了一篇關於如何在AWS Nitro Enclaves上運行Python應用程序的文章，並總結了這個新特性是如何工作的："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"text","text":"AWS Nitro Enclave是和EC2實例一起運行的獨立環境。它使用來自EC2實例的CPU和內存資源，但與Hypervisor級別的實例是隔離的，因此你的實例即使在操作系統級別也不能訪問Enclave。與Enclave通信的唯一方式是通過vsock通道。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"他在"},{"type":"link","attrs":{"href":"https:\/\/github.com\/richardfan1126\/nitro-enclave-python-demo","title":"","type":null},"content":[{"type":"text","text":"GitHub"}]},{"type":"text","text":"上創建了一個項目，演示如何使用Python套接字包在EC2實例和Nitro Enclave之間建立通信，並使用代理從Enclave內部進行HTTPS調用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.infoq.cn\/resource\/image\/8c\/71\/8c85f1196e5a712ca3e5625a85022371.png","alt":null,"title":"","style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":"","fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"圖片來源："},{"type":"link","attrs":{"href":"https:\/\/aws.amazon.com\/blogs\/aws\/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data\/","title":"","type":null},"content":[{"type":"text","text":"https:\/\/aws.amazon.com\/blogs\/aws\/aws-nitro-enclaves-isolated-ec2-environments-to-process-confidential-data\/"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"CoinText首席技術官Vin Armani認爲可能可以在數字貨幣採用這種新功能："}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"text","text":"這些新的AWS Nitro Enclave很有趣。我猜想它們在加密貨幣交易方面將變得非常流行。這似乎是服務器提供簡單分類帳郵資協議（Simple Ledger Postage Protocol）和SWaP協議服務的一個完美的工具。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"另一份"},{"type":"link","attrs":{"href":"https:\/\/aws.amazon.com\/about-aws\/whats-new\/2020\/10\/announcing-aws-certificate-manager-for-nitro-enclaves\/","title":"","type":null},"content":[{"type":"text","text":"公告"}]},{"type":"text","text":"表示，AWS證書管理器可以通過Nitro Enclave支持EC2的TLS主機終止連接。這樣就可以對運行在EC2實例上的Web應用程序和Web服務器使用免費的公有和私有SSL\/TLS證書。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"一些限制：用於Nitro Enclave的ACM目前只支持與NGINX集成的證書安裝和證書過期替換。"},{"type":"link","attrs":{"href":"https:\/\/aws.amazon.com\/ec2\/nitro\/nitro-enclaves\/","title":"","type":null},"content":[{"type":"text","text":"Nitro Enclave"}]},{"type":"text","text":"目前只支持英特爾和AMD的處理器，最小的可用實例是m5a.xlarge。每個EC2實例只支持單獨的加固環境。新服務不需要額外的費用，但父實例需要付費。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原文鏈接"},{"type":"text","text":"："},{"type":"link","attrs":{"href":"https:\/\/www.infoq.com\/news\/2020\/11\/aws-nitro-enclaves\/","title":"","type":null},"content":[{"type":"text","text":"AWS Introduces Nitro Enclaves, Isolated EC2 Environments for Confidential Computing"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}