AWS enclaves medium security documentation change
Summary
Added explicit configuration steps for SSL crypto device and renumbered subsequent steps
Security assessment
Configuring pkcs11 SSL engine relates to cryptographic security implementation. While not fixing an active vulnerability, it documents secure TLS configuration practices.
Diff
diff --git a/enclaves/latest/user/install-acm.md b/enclaves/latest/user/install-acm.md index c6341f634..90804f4e7 100644 --- a//enclaves/latest/user/install-acm.md +++ b//enclaves/latest/user/install-acm.md @@ -314 +314,9 @@ NGINX - 4. Configure NGINX to use the pkcs11 SSL engine by setting the top-level `ssl_engine` directive. + 4. Open the `/etc/httpd/conf.d/ssl.conf` file and find this directive: + + SSLCryptoDevice builtin + +Change the directive as follows: + + SSLCryptoDevice pkcs11 + + 5. Configure NGINX to use the pkcs11 SSL engine by setting the top-level `ssl_engine` directive. @@ -332 +340 @@ Example - 5. Enable the TLS server and configure the server to use your certificate. + 6. Enable the TLS server and configure the server to use your certificate. @@ -398 +406 @@ The completed section should appear as follows. - 6. Start the ACM for Nitro Enclaves service and ensure that it starts automatically at instance boot. + 7. Start the ACM for Nitro Enclaves service and ensure that it starts automatically at instance boot. @@ -404 +412 @@ The completed section should appear as follows. - 7. Test that the ACM for Nitro Enclaves is working as expected. + 8. Test that the ACM for Nitro Enclaves is working as expected.