Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot

AWS (Amazon Web Services)

Security ranks pretty high on everyone’s lists nowadays and that’s definitely true for Amazon Web Services as well. Earlier this month, Amazon announced that Amazon EC2 instances now support both NitroTPM and UEFI Secure Boot.

The announcement was originally made back in December during Amazon’s re:Invent 2021 event, where the company detailed new innovations coming to the AWS Nitro platform. This is the underlying platform that will power the next generation of AWS EC2 instances, and the NitroTPM security and compatibility feature will be a big part of it.

What is Amazon’s NitroTPM technology?

Trusted Platform Module (TPM) technology is designed to provide hardware-based security for PCs and virtual machines. It does so with a secure crypto-processor that performs various cryptographic operations on a motherboard.

NitroTPM is a virtual TPM 2.0-compliant TPM module for your Amazon Elastic Compute Cloud (Amazon EC2) instances. “You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of the EC2 instance memory, protecting them from applications running on the instance,” Amazon explained. For instance, you can use NitroTPM to store encryption keys for BitLocker on Microsoft Windows.

Windows recognizes Amazon's NitroTPM module
Windows recognizes Amazon’s NitroTPM module

NitroTPM is supported on all Nitro-based Intel and AMD EC2 instance types that support UEFI boot mode. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported.

How NitroTPM improves EC2 security with “Measured Boot”

The new UEFI Secure Boot support builds on EC2’s existing secure boot process by providing additional defense mechanisms to secure software from threats that persist across reboots. UEFI Secure Boot ensures that your EC2 instances run authentic software by verifying the digital signature of all boot components. The boot process is halted if the signature verification fails.

“Another key feature that NitroTPM provides is a “measured boot” configuration that can help secure the boot process. This improves boot security in the event that, for example, a malicious program overwrites part of your kernel with malware,” Amazon explained. With measured boot, the system obtains signed Platform Configuration Registers (PCR) values from the TPM and uses them to prove that the boot state of the system is valid.

There is no additional cost for using NitroTPM and UEFI Secure Boot with EC2 instances. NitroTPM and UEFI Secure Boot are available today in AWS GovCloud (US) and all public AWS Regions, with the exception of the AWS China (Beijing) region operated by Sinnet, as wall as the AWS China (Ningxia) region operated by NWCD.