What is AWS Nitro?

The AWS Nitro System is a new virtualization infrastructure that serves as the underlying platform for the next generation of EC2 instances. The goal of AWS Nitro is to accelerate AWS innovation, reduce customer cost, increase security, and deliver new instance types, including bare-metal instances where customers can bring their own hypervisor (or have no hypervisor).


How does AWS Nitro work?

Unlike traditional hypervisors that perform a wide range of functions—such as physical hardware and BIOS protection; CPU, storage, and networking virtualization; and other management capabilities—AWS Nitro breaks the functions apart and offloads them to dedicated hardware and software. The AWS Nitro system is composed of the following:

  • Nitro cards: Provide controllers for data plane, EBS, and instance storage as well as overall host coordination so the host processor does not need to implement these functions.
  • Nitro security chip: Provides hardware root of trust, secure boot, and other security features, enabling a more secure cloud platform with a minimized attack surface.
  • Nitro hypervisor: A lightweight hypervisor that manages memory and CPU allocation to deliver performance that is comparable to bare metal.

Customers who wish to create isolated compute environments to further protect and securely process highly sensitive data within their EC2 instances can create AWS Nitro Enclaves, which use the Nitro hypervisor technology.


The benefits of AWS Nitro

Security: Because only the hardened Nitro cards can access other resources, the host system no longer has direct access to AWS resources. Each Nitro card provides software-defined hardware devices that serve as the only access points from the host device. And the Nitro security model is locked down to prevent human error and tampering.

Performance: Because the Nitro cards handle the I/O access with high-speed networking, high-speed EBS, and I/O acceleration, the Nitro hypervisor can be lightweight, running only necessary functions, activating only when work is requested from an instance.