Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I use Amazon AWS Lambda as a secure enclave for trusted computing?

I would like to use AWS Lambda to perform a computation on behalf of a 3rd party and then prove to them that I did so as intended. A proof would be a cryptographically signed digest of the function body, the request, and the response. Ideally, Amazon would sign the digest with its own private key and publish their public key to allow verification of the signature. The idea is similar to the "secure enclave" that new Intel chips provide through SGX (Software Guard Extensions).

The existing Lambda service has some of the ingredients needed. For example, the GetFunction response includes a CodeSha256 field that uniquely identifies the function implementation. And the Amazon API Gateway allows you to make HTTPS requests to the Lambda service, which might allow a TLSNotary-style proof of the request-response contents. But to do this right I think AWS Lambda needs to provide the signature directly.

Microsoft Azure is working on trusted software enclaves ("cryptlets") in their Project Bletchley: https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/bletchley-whitepaper.md https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/CryptletsDeepDive.md

Is something like this possible with the current AWS Lambda?

like image 982
Michael Maurer Avatar asked Feb 01 '17 11:02

Michael Maurer


People also ask

How secure are AWS lambdas?

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations. Security is a shared responsibility between AWS and you.

What can AWS Lambda be used for?

AWS Lambda allows you to add custom logic to AWS resources such as Amazon S3 buckets and Amazon DynamoDB tables, so you can easily apply compute to data as it enters or moves through the cloud. It is easy to get started with AWS Lambda.


1 Answers

AWS has different approach according to security. You can set what can use particular resource, and which way.

For sure you can do what was described. You can identify request, response, and exact version of code that was used. Question is if you want to sign code, when processing request. Easier way is to have that calculated on deploy.

For first case - you need language with access to source. Like with Python, you can get it, sign and return that, or store somewhere.

Second case - I would use tagging.

like image 163
Michał Zaborowski Avatar answered Oct 04 '22 06:10

Michał Zaborowski