ACM for Nitro Enclaves Streamline

A CDK app that automates the installation and configuration of ACM for Nitro Enclaves on Amazon EC2 instances. This project simplifies the complex manual installation process by providing both a simple CLI tool (setup-tool) and three modular CDK stacks.

Architecture Overview

The app consists of three main CDK stacks, which correspond to the steps outlined in the AWS documentation for manually installing ACM for Nitro Enclaves.

1. Certificate Stack (Step 1)

Can be bypassed by providing an existingCertificateArn

Purpose:

• Provisions an ACM certificate (public/private) for a specified domain.
• Handles domain validation requirements (automatic if Route53 is the DNS provider, otherwise needs to be done manually)

Outputs:

• Domain Name
• Certificate ARN

2. Role Stack (Steps 3, 4, 5)

Purpose:

• Creates and configures the ACM role.
• Associates the role with the certificate.
• Manages permissions for certificate and KMS key access.
• Creates instance profile from the ACM role.

Outputs:

• ACM Role Name and ARN
• Certificate S3 Bucket Name
• Certificate S3 Object Key
• Encryption KMS Key ID

3. Instance Stack (Steps 2, 6)

Purpose:

• Creates an enclave-enabled EC2 instance with:
  • Default VPC, public subnet and security group configuration.
  • Support for NGINX and Apache server types.
  • Support for Amazon Linux 2 (AL2) and Amazon Linux 2023 (AL2023) AMI types,
  • Nitro Enclave compatible instance types.
• Attaches instance profile to the instance.
• Configures the web server to use ACM for Nitro Enclaves.

Outputs:

• Synthesized AWS SSM Connection String (or SSH Connection String)
• Instance ID
• Instance Public IP
• Instance Public DNS Name
• Key Pair Name
• Server Type
• AMI Type

Prerequisites

• NPM
• AWS CDK CLI installed & AWS credentials configured.
• EC2 Keypair
• Domain name, if creating a new certificate. Otherwise, the existingCertificateArn to bypass certificate creation.
• For private certificates: An AWS Private Certificate Authority (PCA)

Quick Start

Installation

git clone <repository-url>
cd aws-nitro-enclaves-acm/cdk
npm install
cdk bootstrap aws://<AWS_ACCOUNT_ID>/<AWS_REGION>

Usage

CLI Tool setup-tool

The setup-tool provides a simple one-line command to deploy or destroy the complete ACM for Nitro Enclaves setup.

Available Commands:

• deploy: Deploy a new ACM setup
• destroy: Destroy one or all existing stacks attached to a setup name
• help: Show command options

CDK CLI

For advanced deployment scenarios using CDK CLI directly, or for detailed configuration options, please refer to our CDK Usage Guide.

CLI Tool Examples (setup-tool)

Deploy Command Examples:

Deployment with the creation of a Private Certificate

path/to/setup-tool deploy \
  --setup-name my-setup \
  --aws-region <region> \  #(e.g. us-east-1)
  --aws-account-id <account-id> \
  --is-private \
  --pca-arn <pca-arn> \
  --domain-name <your-domain> \
  --key-pair-name <key-pair-name> \
  --instance-type <instance-type> \  #(e.g. c5.2xlarge)
  --ami-type <AL2|AL2023> \
  --web-server-type <NGINX|APACHE> \
  --encrypt-volume # (Optional - encrypts root EBS storage volume)

Deployment with an existing ACM Certificate (public certificate in this example)

path/to/setup-tool deploy \
  --setup-name my-setup \
  --aws-region <region> \  #(e.g. us-east-1)
  --aws-account-id <account-id> \
  --domain-name <your-domain> \
  --certificate-arn arn:aws:acm:<region>:<account-id>:certificate/xxxx-yyy-zz \
  --key-pair-name <key-pair-name> \
  --instance-type <instance-type> \  #(e.g. c5.2xlarge)
  --ami-type  <AL2|AL2023> \
  --web-server-type <NGINX|APACHE> \
  --encrypt-volume # (Optional - encrypts root EBS storage volume)

Notes:

• The (optional) --require-approval flag can be added to the deploy command arguments to control approval requirements, as specified in the AWS CDK Documentation by appending:

--require-approval LEVEL (never|any-change|broadening)

• While SSH access can be enabled using the (optional) --allow-ssh-port flag, it is not recommended. Instead, it is recommended to use AWS Systems Manager (SSM) Session Manager for secure instance access.

Destroy Command Examples:

Destroy all stacks for a setup

path/to/setup-tool destroy \
  --setup-name my-setup \
  --aws-account-id <account-id> \
  --aws-region <region> \
  --all

Destroy specific stack(s)

path/to/setup-tool destroy \
  --setup-name my-setup \
  --aws-account-id <account-id> \
  --aws-region <region> \
  --instance-stack
# --role-stack
# --certificate-stack

Note: All deployed stacks can be found in the AWS CloudFormation console, where you can:

• View detailed stack outputs
• Monitor stack events in real-time
• Manage stack lifecycle (update/delete)
• Track resource creation and deletion