Skip to content

Enhance Security: Add support for AMD SEV-SNP secure enclaves on AWS based Clusters #1470

New issue
New issue
Open
gardener/machine-controller-manager-provider-aws
#226
Open
Enhance Security: Add support for AMD SEV-SNP secure enclaves on AWS based Clusters#1470
gardener/machine-controller-manager-provider-aws
#226
Assignees
hebelsan
@philipphombergersap

Description

@philipphombergersap
philipphombergersap
opened on Sep 15, 2025

How to categorize this issue?

/area security
/area os
/kind enhancement
/platform aws

What would you like to be added:

The ability to configure additional CPU options for EC2 worker nodes beyond the currently supported coreCount and threadsPerCore. Specifically, we need to be able to set the AmdSevSnp option to enabled for supported instance types.

This would involve extending the cpuOptions field within the WorkerConfig of the AWS provider extension (providerConfig).

An ideal implementation in the shoot manifest might look like this:

...
provider:
  type: aws
  workers:
  - name: cpu-worker-sev
    machine:
      type: m6a.large
      # ...
    providerConfig:
      apiVersion: aws.provider.extensions.gardener.cloud/v1alpha1
      kind: WorkerConfig
      # ...
      cpuOptions:
        coreCount: 2
        threadsPerCore: 1
        amdSevSnp: "enabled" # <-- This is the proposed addition
...

This change would allow Gardener to provision worker nodes that are capable of running workloads inside AMD SEV-SNP secure enclaves.

Here some AWS Docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sev-snp.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snp-attestation.html

Why is this needed:

We need to run workloads with highly sensitive data (e.g., in-memory crypto keys) securely within Gardener clusters on AWS. Standard VMs do not protect memory from potential access by the cloud provider or a compromised hypervisor.

Hardware-based Confidential Computing technologies like AMD SEV-SNP solve this by providing CPU-enforced memory encryption and isolation. A crucial feature is remote attestation, which allows us to cryptographically verify that a workload is running in a genuine secure enclave. This provides verifiable proof of security, rather than forcing us to simply trust the cloud provider.

To use this technology on AWS, a specific CPU option (AmdSevSnp=enable) must be set when launching an EC2 instance. The Gardener AWS provider currently does not allow setting this parameter, which completely blocks our ability to leverage these essential hardware security features.

Enabling this option is a necessary first step to support Confidential Computing in Gardener, allowing users to build and run truly secure and attestable applications.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions