This project represents an example implementation of an AWS Nitro Enclave based Consensys Web3Signer deployment which is commonly used as a remote signer instance for EIP-3030 compatible blockchain validator nodes. A single Web3Signer deployment can be used by several Ethereum validator nodes.
The project is implemented in AWS Cloud Development Kit (CDK) v2 and Python.
This repository contains all code artifacts for the following two blog posts. A walkthrough, explaining how to deploy
and configure the guidance is enclosed in the docs
folder of this repository.
- AWS Nitro Enclaves for running Ethereum validators – Part 1
- AWS Nitro Enclaves for running Ethereum validators – Part 2
- AWS Nitro Web3Signer guidance walkthrough
For an overview of how to design an AWS Nitro Enclave secured blockchain validation process, please have a look at Part 1.
For a deep dive into AWS Nitro Enclave based Web3Signer node setup and integration patterns, a deep dive of how to bootstrap https endpoints inside AWS Nitro Enclave environment or how to securely tunnel https traffic over a vsock socket, please refer to Part 2.
For a walkthrough on how to deploy, bootstrap, configure and start the AWS Nitro Enclave secured Web3Signer process, please refer to the walkthrough.
- The solution will be deployed in your configured AWS account.
- All required artifacts are being uploaded to Amazon Elastic Container Registry (ECR).
- Config artifacts are being secured by leveraging AWS Key Management Service (KMS) symmetric encryption.
- Amazon DynamoDB is used as the storage service for the encrypted config artifacts.
- AWS Systems Manager is being used for secure access to the Amazon Elastic Compute Cloud (EC2) instances and also for secure initialization of the Web3Signer enclave.
- Cryptographic attestation is being used to securely decrypt the config artifacts from within the AWS Nitro Enclave via AWS KMS.
- Incoming
https
requests to Web3Signer API are being proxied over thevsock
tunnel. - The provided AWS Lambda function can be used to control the status of the Web3Signer.
- All incoming Web3Signer API requests are being routed via a Network Load Balancer and forwarded to the EC2 instances running isolated in private subnets.
- Validator clients or consensus clients can directly interact with the Web3Signer API exposed via the Network Load Balancer.
- Systemd watchdog services reads encrypted validator BLS and TLS keys.
- Watchdog service sends
init
request to Enclave with key configuration enclosed. - Enclave leverages AWS Nitro SDK (
kmstool-enclave-cli
) to decrypt encrypted keys. - Cryptographic attestation is being used by the
kmstool-enclave-cli
. - After decryption, keys are being stored in ephemeral storage of AWS Nitro Enclave.
- Web3Signer process is started inside enclave using decrypted keys, listening on
https
endpoint. - Validator sends
https
signing request tohttps_proxy
. - Request gets forwarded via
vsock
to Web3Signer running inside the enclave and gets processed.
For a more detailed explanation of the bootstrapping process please refer to the bootstrapping section of the walkthrough.
You are responsible for the cost of the AWS services used while running this Guidance.
As of April 2024, the cost for running this Guidance with the default settings in us-east-1
is approximately $200 per month for processing ( 20000 requests ).
The following table provides a sample cost breakdown for deploying this Guidance with the default parameters in the US East (N. Virginia) Region for one month.
AWS service | Dimensions | Cost [USD] |
---|---|---|
Amazon Elastic Compute Cloud (EC2) | 2 c6a.xlarge instances | $ 107.85 month |
AWS Key Management Service (KMS) | 1 Customer Managed Master Key / 20000 symmetric requests | $ 1.06 month |
Network Load Balancer | 1 | $ 16.43 month |
Network Address Translation (NAT) Gateway | 2 | $ 65.78 month |
- An AWS account
- An AWS Identity and Access Management (IAM) user with administrator access
- Configured AWS credentials
- Docker, Node.js , >=Python 3.11, pip, and jq installed on the workstation that you plan to deploy the guidance from.
-
virtual environments (venv) are recommended working with Python
-
AWS CDK per default leverages virtual environments. See how to activate virtualenv
npm install -g aws-cdk && cdk –version
To deploy the development version (cryptographic attestation turned off) of the sample application please follow the steps below:
-
Install the AWS CDK and test the AWS CDK CLI:
npm install -g aws-cdk && cdk –version
-
Download the code from the GitHub repo and change to the new directory:
git clone https://github.com/aws-samples/aws-nitro-enclave-blockchain-validator.git
-
Change to the nitro_validator_cdk repository:
cd nitro_validator_cdk
-
Install the dependencies using the Python package manager:
pip install -r requirements.txt pip install -r requirements-dev.txt
-
Run linter and code scan on all files
pre-commit run --all-files
-
Build the required binaries for Nitro Enclaves. This step requires a valid local Docker environment.
./scripts/build_kmstool_enclave_cli.sh
After you run this step, a new folder (application/eth2/enclave/kms) is available that contains the required Nitro Enclaves artifacts.
If you encounter a problem with the
build_kmstool_enclave_cli.sh
step, such as a network connectivity issue, you can turn on the debug output of the script by changing set +x to set -x inside the script.For additional information, refer to the GitHub repo.
-
(Optional) If you have deployed the validator key table and KMS key using Generate validator keys for Ethereum with trusted code in AWS Lambda and AWS Signer, modify the code in app.py to specify the
kms_arn
andvalidator_key_table_arn
. Else, skip this step. -
Specify the AWS region and account for your deployment:
export CDK_DEPLOY_REGION=us-east-1 export CDK_DEPLOY_ACCOUNT=$(aws sts get-caller-identity | jq -r '.Account')
-
Deploy the sample code with the AWS CDK CLI:
cdk deploy devNitroValidator -O output.json
Production deployment enables cryptographic attestation feature. No console access possible to enclave.
The deployment process is the same as described in the development
section above besides the cdk deployment step
(
step 2 above):
cdk deploy prodNitroSigner -O output.json
Follow all subsequent steps from the dev deployment pointed out above.
Docker Image Push/Pull Error
- On
building
instance duringcdk deploy
step:
devNitroWalletEth: fail: docker push 012345678910.dkr.ecr.us-east-1.amazonaws.com/cdk-hnb659fds-container-assets-012345678910-us-east-1:ab3fe... exited with error code 1: failed commit on ref "manifest-sha256:7141...": unexpected status from PUT request to https://012345678910.dkr.ecr.us-east-1.amazonaws.com/v2/cdk-hnb659fds-container-assets-012345678910-us-east-1/manifests/ab3fe...: 400 Bad Request
Failed to publish asset ab3fe...:012345678910-us-east-1
- On EC2 instance pulling docker container
ab3fe...: Pulling from cdk-hnb659fds-container-assets-012345678910-us-east-1
unsupported media type application/vnd.in-toto+json
Solution
- Issue might be related building and publishing docker containers from an
arm
based instances such as Apple Silicon, requiring dockerbuildx
issue - Cleanup images from local docker repository (
docker rmi ...
) and from Amazon Elastic Container Registry (ECR) e.g. via AWS console - Set environment variable in terminal session (
export BUILDX_NO_DEFAULT_ATTESTATIONS=1
) or specify it during cdk deployment (BUILDX_NO_DEFAULT_ATTESTATIONS=1 cdk deploy
)
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.