Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



82 Commits

Repository files navigation

Nitro Enclave Attestation Shim

The Nitro Attestation Shim requests a TLS certificate from Let's Encrypt, terminates TLS within an AWS Nitro Enclave, and serves the remote attestation including the TLS certificate fingerprint.


nitro-attestation-shim -u UPSTREAM_PORT -e EMAIL [OPTIONS] -- [COMMAND]

Required Flags

  • -u, --upstream-port: HTTP port to connect to upstream server
  • -e, --email: Email address for Let's Encrypt account registration

Optional Flags

  • -s, --staging-ca: Use Let's Encrypt staging environment instead of production
  • -p, --paths: Specific paths to proxy to the upstream server (if empty, all paths are proxied)


Port Direction Description
443 Listen Service proxy and attestation server
8080 Listen Control API (HTTP)
7443 Connect Host TLS egress proxy

Network Configuration

The shim automatically configures a loopback address. The runtime container must support iproute2.


nitro-attestation-shim -u 8000 -e [email protected] -s -p /api/v1 -- python3 -m http.server


  • The shim waits for 1 second on startup to allow for console attachment

Host preparation on Amazon Linux

sudo dnf install -y git socat docker aws-nitro-enclaves-cli aws-nitro-enclaves-cli-devel
sudo usermod -aG ne ec2-user
sudo usermod -aG docker ec2-user

# Optionally increase memory and CPU allocation
sudo sed -i 's/^memory.*/memory_mib: 24576/' /etc/nitro_enclaves/allocator.yaml

sudo systemctl enable --now docker
sudo systemctl enable --now nitro-enclaves-allocator


To build a new release, push a new tag using semver (vX.Y.Z). GitHub Actions will build and publish the image to

The shim container image doesn't run any code itself, but rather serves as a parent layer for the application specific container image. The shim binary is available at /nitro-attestation-shim in the container to copy into your runtime layer. See the nginx Dockerfile for a simple example.