User's Guide: Provision Nitro Compute Node Using AWS Marketplace

1.0 Introduction

Fortanix Confidential Computing Nitro Compute Node Agent software is deployed on an Amazon Web Services (AWS) Nitro EC2 instance to manage the compute node and applications running in Nitro enclaves. The node agent ensures that a valid Nitro-enabled virtual machine is enrolled into a Fortanix Confidential Computing Manager (CCM) account for running containerized applications in the AWS Nitro secure enclaves, while also providing hardware pre-registration and application-node policy restrictions. 

The solution orchestrates critical security policies such as identity verification, data access control, and code attestation for enclaves that are required for confidential computing. Unlike other approaches, Fortanix provides the flexibility to run and manage the broadest set of applications, including existing applications, new enclave-native applications, and pre-packaged applications.

The Fortanix CCM enables applications to run in confidential computing environments, verifies the integrity of those environments, and manages the enclave application lifecycle.

This article describes how to provision an EC2 instance and enroll a Fortanix Nitro Node Agent using the Amazon Web Services (AWS) Marketplace.

2.0 Fortanix Offerings on AWS Marketplace

You can use either of the following two methods to explore Fortanix offerings on the AWS Marketplace:

  • Direct Search: Simply enter "Fortanix" into the Search bar.
    OR

  • Filtered Search: Refine your search by selecting specific categories.

2.1 Direct Search

Perform the following steps:

  1. Log in to the AWS Marketplace Console using your AWS account credentials.

  2. Type Fortanix in the Search bar to list Fortanix marketplace offerings.

  3. Select the Fortanix Confidential Computing Nitro Compute Node option from the Marketplace section. This action opens a new tab on the screen.

    Screenshot (74).png

    Figure 1: Search Results

2.2 Filtered Search

Perform the following steps:

  1. Access the AWS Marketplace login page at https://aws.amazon.com/marketplace and enter your credentials to log in.

  2. On the landing page, scroll to the "Find AWS Marketplace products that meet your needs" section.

    Screenshot (70).png

    Figure 2: Filters

    In this section, select the following criteria:

    • Categories: Select the Security option under infrastructure software, observe dynamic changes in the available options for vendors, pricing plans, and delivery methods.

    • Vendors: Select Fortanix from the drop down menu, dynamically refining your search.

    • Pricing Plans: Select the Bring Your Own License (BYOL) option from the drop down menu.

    • Delivery Methods: Select CloudFormation from the drop down menu.

Once you have selected the required specifications, out of the available marketplace offers from Fortanix, select the Fortanix Confidential Computing Nitro Compute Node option.

2.3 Navigating the Landing Screen

The following is the landing screen for Fortanix Confidential Computing Nitro Compute Node:

Screenshot (73).png

Figure 3: Landing Screen

The following are the components on the screen:

  • Continue to Subscribe: Progress through the subscription process for the Fortanix Confidential Computing Nitro Compute Node.

  • Overview: Fortanix Nitro Compute Node seamlessly integrates with AWS Nitro EC2 instances, managing compute nodes and applications securely. Start a free trial at https://ccm.fortanix.com/.

  • Pricing: Fortanix Nitro Compute Node offers a free tier .

    • Free Tier: No charges for the software.

    • Bring Your Own License (BYOL): Available for customers with existing licenses.

  • Usage: Deploy the Fortanix Nitro Compute Node Agent on AWS Nitro EC2 instances to manage the compute node and applications running in Nitro enclaves. Fortanix CCM enables applications to run in confidential environments. You can enroll a compute node agent at https://ccm.fortanix.com/.

  • Support: A 24/7 support using Slack and email at [email protected] is available. The refunds are not supported, but cancellations are accepted at any time.

  • Reviews: Share your thoughts by writing a customer review. Your feedback contributes to the community's understanding of this product.

2.4 Configuring the Software

Perform the following steps to configure the software on your system:

  1. On the Configure this software page, enter the following:

    • Fulfillment Option: Select the Deploy Confidential Computing Node Agent option.

    • Software Version: Select the required version from the drop down menu, ensuring compatibility with your preferences.

    • Region: Select the desired region for deployment, for example, "US East (N. Virginia)."

  2. Click the Continue to Launch button.

    Screenshot (80).png

    Figure 4: Configure the Software

  3. On the Launch this software page, enter the following:

    • Select the Launch CloudFormation option from the Choose Action drop down menu.

    • Click the Launch button. This will redirect you to the "Create Stack" page.

      Screenshot (85).png

      Figure 5: Launch the Software

  4. On the Create Stack page, enter the following:

    • Prerequisite: Select the default option, Template is Ready radio button.

    • Specify Template:

      • Template Source: Select the default option, Amazon S3 URL radio button.

      • Amazon S3 URL: Enter the default Amazon S3 URL in the field.

      • S3 URL: Enter the default S3 URL.

        Screenshot (87).png

        Figure 6: Create Stack

  5. Click the Next button.

  6. On the Specify Stack Details page, enter the following:

    Parameter Name

    Type

    Description

    CCMJoinToken

    String

    Refers to a security token used during the process of joining a node to the Fortanix Confidential Computing Manager (CCM). It ensures secure communication and authentication between the node and the manager within the Fortanix ecosystem.
    To know more about this token, refer to Section 3.0 - Provision the Compute Node Using AWS Marketplace.

    InstanceTenancy

    dedicated or host

    Refers to the tenancy model for an Amazon EC2 instance. It determines whether the instance runs on dedicated hardware ("dedicated") or shared hardware (default or "host"). The choice can impact performance isolation and compliance requirements.

    InstanceType

    String

    Specifies the C5a hardware series of Amazon EC2 instances that will be launched. It defines the computing capacity, memory, and networking capabilities of the instance.

    KeyPair

    KeyPair

    Refers to a set of cryptographic keys (public and private) used for secure SSH access to an EC2 instance. During launch, the instance is associated with the public key, while the client uses the private key to authenticate and establish a secure connection. For more information, refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/create-key-pairs.html.

    NameTag

    String

    Refers to a user-defined tag assigned to AWS resources, providing a human-readable identifier. It helps in organizing and managing resources efficiently.

    NodeAgentAccessCIDR

    String

    Specifies the IP address range (CIDR block, such as 0.0.0.0/0) from which the Fortanix Confidential Computing Node Agent can be accessed. It acts as a security measure, restricting access to a defined set of IP addresses.

    SSHSourceCIDR

    String

    Defines the allowed IP address range (CIDR block, such as 0.0.0.0/0) from which SSH connections are permitted to access the EC2 instance. This setting enhances security by controlling who can connect to the instance via SSH.

    Storage

    Integer

    Refers to the type and size of storage associated with the EC2 instance. It includes specifications such as the volume type, size, and configuration. Storage options impact the performance and durability of data on the instance.

    VpcCIDR

    String

    Represents the CIDR block assigned to a Virtual Private Cloud (VPC). It defines the range of private IP addresses available within the VPC, facilitating network segmentation and resource isolation.

    Screenshot (88).png

    Screenshot (91).png

    Figure 7: Specify Stack Details

  7. On the Configure Stack Options page, enter the following:

    Parameter

    Description

    Tags

    Apply tags to categorize stacks based on attributes such as purpose, ownership, or environment.

    Permissions

    Assign appropriate permissions to individuals or services to govern stack management activities.

    Stack failure options

    Configure these options to manage failures in a controlled manner, maintaining the integrity of the stack.

    Rollback configuration

    Tailor rollback behavior to ensure a consistent state and mitigate potential issues resulting from unsuccessful updates.

    Notification options

    Utilize notification options to stay informed about the progress and status of stack operations, facilitating proactive management.

    Stack creation options

    Customize creation options to align with specific requirements, ensuring the creation of stacks with desired attributes and behaviors.

     

    Screenshot (92).png

    Screenshot (93).png

    Figure 8: Configure Stack Options

  8. Click the Submit button.

3.0 Provisioning the Compute Node Using AWS Marketplace

Perform the following steps:

  1. First, generate a Join Token using the CCM UI. To generate your Join Token, log in to https://ccm.fortanix.com.

  2. Navigate to Infrastructure → Compute Nodes → AWS NITRO ENCLAVES tab and click + ENROLL NODE.

    Screenshot 2023-07-31 130041.png

    Figure 9: Enroll Compute Node

  3. Click the COPY button to copy the Join Token. This Join Token is used by the compute node to authenticate itself.

    Screenshot 2023-07-31 130214.png

    Figure 10: Generate Token

  4. In the Create Fortanix Confidential Computing Node Agent form, fill all the necessary details.

  5. Click the Submit button.

The compute node is now successfully created.

4.0 Reviewing the Compute Node

After the node agent is created, the node will be enrolled in CCM, you will see it under the Compute Nodes overview table.

Screenshot 2023-08-03 165025.png

Figure 11: Enrolled Node

The following are the components on the screen:

  • Name: Represents the DNS name of the compute node.

  • Status: Indicates the current state of the compute node, such as active, inactive, online or offline.

  • Labels: Contains descriptive tags for each compute node. Labels are used to provide additional information or group similar items together for organizational purposes.

  • CPU: Displays information related to the Central Processing Unit (CPU) of the corresponding item. This information may include details such as the CPU type, usage, or other relevant metrics.

  • EPC Size: Specifies the size or capacity of the Enclave Page Cache (EPC) associated with the item. However, this is not applicable for AWS Nitro Enclaves instances.

  • Attestation: Provides information about the attestation status of the compute node. The validity of the compute node certificate is one year.

    • Click the  icon2.png icon to perform the following actions:

      • View Certificate: View the details of the certificate associated with the compute node. You can also click  icon.png icon to directly view the NITRO_ENCLAVE certificate.

      • Copy Compute Node ID: Copy the unique identifier (ID) of the compute node to the clipboard, facilitating easy reference in configurations or troubleshooting.

      • Delist Compute Node: Remove the compute node from an active or trusted nodes list. This action may revoke the node's access or privileges within the Fortanix environment.


5.0 References

Refer to the following documents for more details:

NOTE

Refer to users-guide-enroll-a-compute-node-using-aws-nitro-on-amazon-linux to know the manual steps for installing the Fortanix Nitro Node Agent on a pre-created EC2 instance.