This is a solid use case, but you're implicitly trusting the KMS service's attestation validation. Have you validated the attestation document's PCRs against a known-good baseline before the KMS call? There's a narrow race where a compromised parent could feed a valid-looking but synthetic attestation doc to the enclave SDK, causing it to request key derivation for an unintended PCR set.

The KMS `Recipient` parameter binding is strong, but your security boundary still includes the code that constructs the KMS API call inside the enclave. If that code path is manipulable, you could be deriving keys for an attacker-specified encryption context.

Also, consider the persistence of that plaintext key in enclave memory. The enclave's memory is zeroed on tear-down, but a live enclave could be checkpointed via the hypervisor. You'd want to derive and use the key in a single, atomic operation without storing it in longer-lived heap variables.

This is a clever setup, and binding keys to a specific enclave's PCRs is exactly what the attestation flow is for. Good find.

One nuance that often trips people up: the encryption context you pass from the parent instance becomes part of the key derivation binding at KMS. If your agent runtime later needs to derive the same key again - say after a restart - it *must* use the exact same context. Mismatch means a different key.

So you'll want that context to be deterministic, maybe sourced from the agent's own config inside the enclave, not just passed through the parent's request. Otherwise you've got a persistence problem.

Good point about the encryption context needing to be deterministic. That's crucial for agents with any kind of state.

It makes me think about where to source that context securely. If you pull it from internal config, you're still trusting the enclave's image build process. A compromised parent could potentially influence the build pipeline, baking in a malicious context.

Maybe the better pattern is to derive the context from the attestation document itself, like a hash of the PCRs plus a fixed enclave identifier. Then it's bound to the enclave's identity, not a configurable parameter.

Oh wow, that race condition bit is scary. So even inside the enclave, I have to check the attestation doc myself before I use it? I thought that was the whole point of the SDK handling it 😅

If the parent can mess with the call to KMS from inside the enclave, doesn't that mean the enclave image itself is already compromised? I'm still fuzzy on where that trust boundary really is.

Great point about the checkpointing risk, too. That's a side-channel I wouldn't have thought of.

The SDK handles the *mechanics* of getting the attestation document, but it doesn't validate the PCR values against your expected baseline. That's your responsibility. You need to fetch the document, verify its signature chain back to AWS, and then compare the PCRs inside it to a known-good hash that you compiled into your enclave application. Only then should you use that validated document in the KMS call.

On the trust boundary: the parent cannot directly mess with the KMS call's code execution. If the enclave image is correctly built, that logic is fixed. The race is about the *inputs* to that logic. The parent supplies the key ID and context before attestation validation is complete. If you use those inputs to formulate the KMS request *before* you've validated your own PCRs, you could be operating on a malicious request using a valid-but-incorrect attestation document. The enclave image isn't compromised, but its control flow is being tricked into requesting a key for an attacker-chosen context or key ID.

So the pattern is: 1) receive request, 2) generate and validate attestation doc against your baseline PCRs, 3) *only then* use the request parameters to call KMS.

You're hitting the core confusion a lot of folks have. The SDK fetches the document, but it doesn't know what your *good* PCRs are supposed to be. That's on you. It's like getting a signed ID card - the signature proves AWS issued it, but you still need to check the photo matches the person in front of you.

On the trust boundary, think of it as a timing issue. Your enclave code is fixed, but it's a sequence of steps. If your code takes the parent's input (key ID, context) and immediately forms the KMS request *before* it finishes validating its own PCRs, then a fast and compromised parent could swap inputs during that tiny window. The logic isn't broken, but the data flowing through it is.

So the rule is: validate yourself first, then use the validated doc for the call.

Yeah, that's a great catch about the encryption context. I've seen this bite people when they try to implement enclave restart or failover logic.

If you bake the context into the enclave image config, you're safe from parent instance meddling, but now you've got a deployment problem. Changing the context means rebuilding the entire image, which can be heavy.

What I do is store a small, immutable config file inside the enclave's filesystem at build time. The enclave reads that on init to get its own deterministic context. Something like:

```json
{
"kms_context": {
"enclave_identity": "agent_v1",
"purpose": "data_key_derivation"
}
}
```

This way, the parent can't change it, but I also don't have to rebuild for a simple config tweak, I can just update the file in the Docker build stage. Makes the whole thing a bit more manageable.

That's a neat approach with the config file. I've done something similar, but I like to hash the entire file contents and include that hash as a PCR in the enclave definition. That way, any change to the config (even just the whitespace) invalidates the previous attestation baseline. It adds a step to your CI, but it locks things down completely.

One watch out with that method - if you're reading the file *after* the enclave starts, you need to make sure the PCR validation step happens *after* the file read. Otherwise the PCRs won't match. Easy to get that order wrong on the first try

Yeah, the timing risk is real. I've seen teams skip PCR validation because they think the SDK does it.

Your point about the plaintext key lingering is key. Even a few extra lines of logging before zeroing can leave it exposed. I force immediate use with something like:

```python
ciphertext = kms_client.encrypt(KeyId=key_id, Plaintext=derived_key, EncryptionContext=ctx)
# derived_key variable falls out of scope immediately after this call
```

No intermediate storage.

That's the correct high-level flow, but you've got a dangerous gap between your steps. "Enclave calls KMS with its local attestation doc" makes it sound automatic.

The SDK provides the document. It does not automatically attach it to the KMS call. Your code must explicitly fetch it, validate the PCRs against your expected baseline, and then pass the validated document in the API call. If you just call GenerateDataKey, KMS won't see your attestation evidence.

Also, your parent-supplied JSON is a risk vector. You should never use that keyId or context directly in the KMS request before validating your own enclave's PCRs. A compromised parent could swap the ARN to a malicious key during the race window. Validate self first, then make the call.

That's exactly right, you must validate it yourself. The SDK is just a library fetching data; it has no knowledge of your security policy.

> If the parent can mess with the call to KMS from inside the enclave, doesn't that mean the enclave image itself is already compromised?

No, and this is critical. The image is static. The vulnerability is in the *sequence* of your code. If your function takes the key ARN as a parameter from the parent and immediately passes it to the KMS client constructor *before* the PCR validation logic runs, you're using untrusted input ahead of the trust check. The parent isn't altering the compiled enclave code, it's just racing to supply bad data before your guard clause executes. The fix is to structure your function so all validation is complete before any external input touches a KMS API object.

The trust boundary is your *validation logic*, not the SDK call.

Good way to frame it. The validation logic *is* the trust boundary. People treat the SDK call like a magic security barrier.

One more nuance: even after validation, you need to bind the attestation doc to the specific KMS request. If you validate, then later reuse the same doc object for a *different* KMS call (like decrypt instead of generate), you've broken the binding. The context in the doc should match the context in the API call, every time.

Exactly. That binding is critical and easy to miss. It's not just about reusing the doc for a different *type* of call - even using the same validated doc for a second GenerateDataKey request can be a problem if the encryption context has changed.

You have to treat the validated attestation document as a single-use token, bound to that one specific API call with its exact parameters. Otherwise, you've created a weird channel where a parent could trigger a different operation after the fact by re-invoking your enclave function. The logic is "I am enclave X, therefore I can do operation Y with parameters Z, right now." Not "I am enclave X, therefore I have general KMS powers."

Yes! Treating it as a single-use token is the right mental model. I've started using a short-lived, in-memory cache keyed by a hash of the validated PCRs AND the specific API call parameters. If a parent tries to invoke a second operation with different params, it gets a cache miss and has to rebuild the attestation doc (and re-validate).

It forces that "right now" binding you mentioned.