AWS Nitro API Co-signer Architecture - Fireblocks Developer Docs

Learn how to install AWS Nitro Co-signer in the following guide

AWS resources used by the Co-signer

The Fireblocks AWS Nitro API Co-signer leverages AWS Nitro Hypervisor technology and attestation mechanisms. It utilizes the following AWS resources:

EC2 Instance: Nitro-capable VM, through which the enclave operates.
S3 Bucket: used as the Co-signer’s persistent storage and holds the encrypted database of the Co-signer.
KMS Customer Managed Key: used to securely protect the Co-signer’s MPC keyshares, which are stored in the Co-signer’s persistent storage within an S3 bucket.
IAM Role: used to tie everything together by granting only the necessary permissions to the specific resources.

Important: Allocate a separate set of resources for each Co-signer to prevent conflicts and ensure isolation, enhancing security.

This is illustrated in the block diagram below:

Google Cloud Confidential Space API Co-signer Architecture

⌘I

Learn how to install AWS Nitro Co-signer in the following guide
AWS resources used by the Co-signer
Important: Allocate a separate set of resources for each Co-signer to prevent conflicts and ensure isolation, enhancing security.