New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Amazon EC2 Now Supports NitroTPM and UEFI Secure Boot

Security ranks pretty high on everyone’s lists nowadays and that’s definitely true for Amazon Web Services as well. Earlier this month, Amazon announced that Amazon EC2 instances now support both NitroTPM and UEFI Secure Boot.

The announcement was originally made back in December during Amazon’s re:Invent 2021 event, where the company detailed new innovations coming to the AWS Nitro platform. This is the underlying platform that will power the next generation of AWS EC2 instances, and the NitroTPM security and compatibility feature will be a big part of it.

What is Amazon’s NitroTPM technology?

Trusted Platform Module (TPM) technology is designed to provide hardware-based security for PCs and virtual machines. It does so with a secure crypto-processor that performs various cryptographic operations on a motherboard.

NitroTPM is a virtual TPM 2.0-compliant TPM module for your Amazon Elastic Compute Cloud (Amazon EC2) instances. “You can use NitroTPM to store secrets, such as disk encryption keys or SSH keys, outside of the EC2 instance memory, protecting them from applications running on the instance,” Amazon explained. For instance, you can use NitroTPM to store encryption keys for BitLocker on Microsoft Windows.

Windows recognizes Amazon's NitroTPM module — Windows recognizes Amazon’s NitroTPM module

NitroTPM is supported on all Nitro-based Intel and AMD EC2 instance types that support UEFI boot mode. Graviton1, Graviton2, Xen-based, Mac, and bare-metal instances are not supported.

How NitroTPM improves EC2 security with “Measured Boot”

The new UEFI Secure Boot support builds on EC2’s existing secure boot process by providing additional defense mechanisms to secure software from threats that persist across reboots. UEFI Secure Boot ensures that your EC2 instances run authentic software by verifying the digital signature of all boot components. The boot process is halted if the signature verification fails.

“Another key feature that NitroTPM provides is a “measured boot” configuration that can help secure the boot process. This improves boot security in the event that, for example, a malicious program overwrites part of your kernel with malware,” Amazon explained. With measured boot, the system obtains signed Platform Configuration Registers (PCR) values from the TPM and uses them to prove that the boot state of the system is valid.

There is no additional cost for using NitroTPM and UEFI Secure Boot with EC2 instances. NitroTPM and UEFI Secure Boot are available today in AWS GovCloud (US) and all public AWS Regions, with the exception of the AWS China (Beijing) region operated by Sinnet, as wall as the AWS China (Ningxia) region operated by NWCD.

by Michael Otey
Last Update: Feb 03, 2023
May 24, 2022

Michael Otey is president of TECA, a technical content production, consulting and software development company in Portland, Ore. Michael is a former SQL Server MVP and was Senior Technical Director for Windows IT Pro and SQL Server Pro. He covers the...

What is Amazon Kinesis Data Firehose?

Jul 14, 2023
AWS Certifications: A Complete Guide

Jul 31, 2023
What is AWS Amplify?

Apr 21, 2023
Jun 23, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.