close

Home

Amazon Web Services

Cloud Computing

Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot

Author avatar - Michael Otey

Michael Otey

|
AWS (Amazon Web Services)

Security ranks pretty high on everyone’s lists nowadays and that’s definitely true for Amazon Web Services as well. Earlier this month, Amazon announced that Amazon Elastic Compute Cloud (EC2) instances now support both NitroTPM and UEFI Secure Boot.

The announcement was originally made back in December during Amazon’s re:Invent 2021 event, where the company detailed new innovations coming to the AWS Nitro platform. This is the underlying platform that will power the company’s next generation of EC2 instances, and the NitroTPM security and compatibility feature will be a big part of it.

What is Amazon’s NitroTPM technology?

Trusted Platform Module (TPM) technology is designed to provide hardware-based security for PCs and virtual machines. It does so with a secure crypto-processor that performs various cryptographic operations on a motherboard.

NitroTPM is a virtual TPM 2.0-compliant TPM module for your Amazon Elastic Compute Cloud (Amazon EC2) instances. “You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of the EC2 instance memory, protecting them from applications running on the instance,” Amazon explained. For instance, you can use NitroTPM to store encryption keys for BitLocker on Microsoft Windows.

Sponsored Content

Centralize, Manage and Secure Remote Connections

Centralized remote connection technologies, remote machine data, password management and access control on a platform that is secure, scalable and refreshingly simple to use.

Windows recognizes Amazon's NitroTPM module
Windows recognizes Amazon’s NitroTPM module

NitroTPM is supported on all Nitro-based Intel and AMD EC2 instance types that support UEFI boot mode. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported.

How NitroTPM improves EC2 security with “Measured Boot”

The new UEFI Secure Boot support builds on EC2’s existing secure boot process by providing additional defense mechanisms to secure software from threats that persist across reboots. UEFI Secure Boot ensures that your EC2 instances run authentic software by verifying the digital signature of all boot components. The boot process is halted if the signature verification fails.

“Another key feature that NitroTPM provides is a “measured boot” configuration that can help secure the boot process. This improves boot security in the event that, for example, a malicious program overwrites part of your kernel with malware,” Amazon explained. With measured boot, the system obtains signed Platform Configuration Registers (PCR) values from the TPM and uses them to prove that the boot state of the system is valid.

There is no additional cost for using NitroTPM and UEFI Secure Boot with EC2 instances. NitroTPM and UEFI Secure Boot are available today in AWS GovCloud (US) and all public AWS Regions, with the exception of the AWS China (Beijing) region operated by Sinnet, as wall as the AWS China (Ningxia) region operated by NWCD.

Article saved!

Access saved content from your profile page. View Saved