Can I use Amazon AWS Lambda as a secure enclave for trusted computing?

Question

I would like to use AWS Lambda to perform a computation on behalf of a 3rd party and then prove to them that I did so as intended. A proof would be a cryptographically signed digest of the function body, the request, and the response. Ideally, Amazon would sign the digest with its own private key and publish their public key to allow verification of the signature. The idea is similar to the "secure enclave" that new Intel chips provide through SGX (Software Guard Extensions).

The existing Lambda service has some of the ingredients needed. For example, the GetFunction response includes a CodeSha256 field that uniquely identifies the function implementation. And the Amazon API Gateway allows you to make HTTPS requests to the Lambda service, which might allow a TLSNotary-style proof of the request-response contents. But to do this right I think AWS Lambda needs to provide the signature directly.

Microsoft Azure is working on trusted software enclaves ("cryptlets") in their Project Bletchley: https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/bletchley-whitepaper.md https://github.com/Azure/azure-blockchain-projects/blob/master/bletchley/CryptletsDeepDive.md

Is something like this possible with the current AWS Lambda?

Answer 1

AWS has different approach according to security. You can set what can use particular resource, and which way.

For sure you can do what was described. You can identify request, response, and exact version of code that was used. Question is if you want to sign code, when processing request. Easier way is to have that calculated on deploy.

For first case - you need language with access to source. Like with Python, you can get it, sign and return that, or store somewhere.

Second case - I would use tagging.