The Nix Attestable AMI Builder helps creating Attestable AMIs which are confidential, attestable, and reproducible EC2 AMI images. It’s designed for workloads that require enhanced security, where the initial state of the EC2 instance needs to be cryptographically measured and verified before any confidential data is bootstrapped on the system.
It provides the Nix framework to build read-only, bit-by-bit reproducible, and measurable EC2 AMIs. These AMIs contain all required attestation logic and helper tools for boilerplate actions, such as extracting TPM attestation reports or decrypting secrets from KMS using such attestation reports
43 Likes
Note that this isn’t my project but I am extremely excited to see this drop.
Context. I am the maintainer of the official NixOS AMI and also the maintainer of systemd in NixOS.
The NixOS systemd team (with special shout out to @nikstur for driving a lot of this work ) has been working on creating an amazing story for building attestable appliance images using NixOS and seeing this get adopted by AWS is a testament to the amazing set of tools we’ve built over the past years.
This has taken years of hard work and seeing it get adopted by the largest cloud provider is very humbling.
33 Likes
This means we can now create custom nixISO image and push it to AWS to use?
Or we can just pass the config and AWS will manage creating the custom ISO and boots up the machine to our desired state?
Someone clarify please 
1 Like
The first.
This is a recipe for building attestable appliance images. The resulting image is immutable and has no nix or nixos tooling.
If you want a traditional NIXOS experience where you can pass in a config to nixos-rebuild switch to you can use the AMI from our homepage instead: Download | Nix & NixOS
1 Like
Oh ok. So this one is for the images created by nixos-generators I guess. I also saw the aws ec2 image already created in the nixos homepage asciinema video, so what does this new news is about?
Maybe I’m unaware of these. A wiki or a blog or something also would help
I’m planning to write a blog post about this!
12 Likes
I’m still eagerly waiting for your blog 