# AWS

### Pricing

An additional hourly usage cost is applicable upon launching an Amazon EC2 instance with AMD SEV-SNP activation. This cost is 10 percent of the [On-Demand hourly rate](https://aws.amazon.com/ec2/pricing/on-demand/) associated with the chosen instance category.

This distinct AMD SEV-SNP usage fee is separate from the charges incurred for your Amazon EC2 instance usage. It's important to note that this fee remains unaffected by factors such as Reserved Instances, Savings Plans, and the utilization of different operating systems.

### Requirements

To utilize AMD SEV-SNP, the following steps are necessary:

1. Choose from the list of supported instance types, which includes:
   * M6a: `m6a.large` | `m6a.xlarge` | `m6a.2xlarge` | `m6a.4xlarge` | `m6a.8xlarge`
   * C6a: `c6a.large` | `c6a.xlarge` | `c6a.2xlarge` | `c6a.4xlarge` | `c6a.8xlarge` | `c6a.12xlarge` | `c6a.16xlarge`
   * R6a: `r6a.large` | `r6a.xlarge` | `r6a.2xlarge` | `r6a.4xlarge`
2. Initiate the launch of your instance within a supported AWS Region. Only `US East (Ohio)` and `Europe (Ireland)` Regions are compatible with this feature.
3. Employ an Amazon Machine Image (AMI) configured with either the `uefi` or `uefi-preferred` boot mode. Additionally, make sure your chosen operating system is compatible with AMD SEV-SNP. Consult your operating system's documentation for specific information on its AMD SEV-SNP support. Amazon Linux 2023 and Ubuntu 23.04 are among the AWS-supported operating systems offering AMD SEV-SNP compatibility.

### Considerations <a href="#snp-considerations" id="snp-considerations"></a>

<details>

<summary>Activation Scope</summary>

AMD SEV-SNP activation is exclusively possible during instance launch. Once enabled at launch, it persists throughout the entire lifecycle of the instance.

</details>

<details>

<summary>Instance Type Adjustment</summary>

Modifying the instance type of an active instance with AMD SEV-SNP is permissible only if transitioning to another instance type that also supports AMD SEV-SNP.

</details>

<details>

<summary>Limitations on Features</summary>

Note that functionalities like hibernation and Nitro Enclaves are incompatible with the enabled state of AMD SEV-SNP.

</details>

<details>

<summary>Exclusion of Dedicated Hosts</summary>

The use of Dedicated Hosts is not compatible with AMD SEV-SNP.

</details>

<details>

<summary>Host Maintenance</summary>

In the event that the underlying host of your instance is scheduled for maintenance, a notification of the scheduled event will be issued 14 days in advance. To relocate the instance to a new host, you will need to manually halt or restart it.

</details>

### EC2

#### Launch the Instance

1. Go to [EC2 Management Console](https://eu-west-1.console.aws.amazon.com/ec2/home?region=eu-west-1#LaunchInstances:) to launch an instance.
2. Fill in the necessary information.
3. Select the `Ubuntu 23.04 - Lunar` Amazon Machine Image.

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FetGMTZNbCMxe3nxgUCdF%2Fuploads%2FJfRUPmfz27N5IprMu3Hn%2FWX20230808-130101%402x.png?alt=media&#x26;token=7ef7343c-3b4d-443d-ae6e-4589e2b32232" alt=""><figcaption><p>Select the image</p></figcaption></figure>

4. Choose `c6a.large` instance type.
5. Click on `Advanced details` and set `AMD SEV-SNP` as `Enabled`.

<figure><img src="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FetGMTZNbCMxe3nxgUCdF%2Fuploads%2FMzyKTX8ir875CYRED2eA%2FWX20230808-133511%402x.png?alt=media&#x26;token=8710728a-e993-4cf4-b466-9e2353a0c095" alt=""><figcaption><p>Configuration of instance</p></figcaption></figure>

#### Attestation

Attestation is a procedure that empowers your instance to authenticate its condition and identity. By activating AMD SEV-SNP for your instance, you can initiate a request for an AMD SEV-SNP attestation report directly from the underlying processor. Contained within the AMD SEV-SNP attestation report is a cryptographic hash named the "launch measurement." This hash encompasses the initial content of guest memory and the initial virtual Central Processing Unit (vCPU) state. This attestation report is endorsed with a VLEK (Versioned Loaded Endorsement Key) signature that traces back to an AMD root of trust. The launch measurement featured in the attestation report serves two key purposes: confirming the instance's operation within a genuine AMD environment and validating the initial boot code utilized for instance launch.

<figure><img src="https://3478727215-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FetGMTZNbCMxe3nxgUCdF%2Fuploads%2F1GFIrzPeNDpchFSh5oUE%2FScreenshot%20from%202023-09-09%2020-16-52.png?alt=media&#x26;token=59a6badb-9db7-4266-97a1-8db72296e80e" alt=""><figcaption><p>Attestation Result</p></figcaption></figure>

To undertake attestation using AMD SEV-SNP, adhere to the subsequent steps:

**Pre Step: Install Dependencies**

```shell
$ sudo apt update
$ sudo apt install -y build-essential git libssl-dev uuid-dev autoconf
```

**Step 1: Obtain the Attestation Report**

In this phase, you'll install the necessary tools and request the AMD SEV-SNP attestation report from the processor and the VLEK signing key.

To request the attestation report from the CPU, utilize the `sev-guest` utility. To acquire the utility from the "sev-guest" repository, execute the following commands:

```shell
$ git clone https://github.com/AMDESE/sev-guest.git
$ cd sev-guest
$ make sev-guest-get-report
$ make sev-guest-parse-report
```

Employ the `sev-guest` utility to solicit the attestation report as well as the VLEK certificate responsible for signing the report:

```shell
$ sudo ./sev-guest-get-report guest_report.bin -x
Generating report using the following hash: 
    0000000000000000000000000000000000000000000000000000000000000000
    0000000000000000000000000000000000000000000000000000000000000000

wrote a8074bc2-a25a-483e-aae6-39c045a0b8a1
wrote guest_report.bin
```

This command generates two files:

* `guest_report.bin` – The attestation report with a valid signature.
* `a8074bc2-a25a-483e-aae6-39c045a0b8a1` – The VLEK certificate in DER format serves as the attestation report's signatory.

**Step 2: Verify the Attestation Report's Signature** The attestation report gains its signature from a certificate known as the Versioned Loaded Endorsement Key (VLEK), issued by AMD for AWS. This step involves confirming the authenticity of the VLEK certificate and validating that this VLEK certificate indeed signs the attestation report.

To verify the attestation report's connection with the VLEK certificate, deploy the "sev-tool" utility. This utility necessitates that both the attestation report and the VLEK certificate reside within a folder named `/certs`. Initiate the creation of the `/certs` directory:

```shell
$ sudo mkdir certs
```

Convert the DER-encoded VLEK certificate into PEM format, a requisite for the "sev-guest" utility:

```shell
$ sudo openssl x509 -inform der -in a8074bc2-a25a-483e-aae6-39c045a0b8a1 -out certs/vcek.pem
```

This action results in the VLEK certificate being stored as `vcek.pem` in the `/certs` directory.

Download the VLEK root of trust certificates from the official AMD website to the `/certs` directory:

```shell
$ sudo curl --proto '=https' --tlsv1.2 -sSf https://kdsintf.amd.com/vlek/v1/Milan/cert_chain -o certs/cert_chain.pem
```

Use the "openssl" tool to validate the connection between the VLEK certificate and the AMD root of trust certificates:

```shell
$ sudo openssl verify --CAfile certs/cert_chain.pem certs/vcek.pem
```

Expected output:

```bash
certs/vcek.pem: OK
```

Copy the attestation report to the `/certs` directory:

```shell
$ sudo cp guest_report.bin certs/
```

Proceed to validate the attestation report's signature by making use of the "sev-tool" utility. Install the utility using these commands:

```shell
$ cd ..
$ git clone https://github.com/AMDESE/sev-tool.git
$ cd sev-tool
$ autoreconf -vif && ./configure && make
```

Utilize the "sev-tool" utility to validate the attestation report's connection with the VLEK certificate:

```shell
$ sudo ./src/sevtool --ofolder ../sev-guest/certs --validate_guest_report
```

Expected output:

```
Guest report validated successfully!

Command Successful
```

### EKS

You can first create the EC2 instances according to the tutorials above, then deploy the Kubernetes cluster manually and [connect them to the EKS cluster](https://docs.aws.amazon.com/eks/latest/userguide/connecting-cluster.html) to have AMD SEV-SNP enhanced Kubernetes.

### Lambda

Currently, AWS Lambda doesn't support AMD SEV-SNP.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/confidential-cloud/technology-in-depth/amd-sev/getting-started/aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.