View a markdown version of this page

Security considerations - AWS Wickr

This guide documents the new AWS Wickr administration console, released on March 13, 2025. For documentation on the classic version of the AWS Wickr administration console, see Classic Administration Guide.

Security considerations

Data encryption

  • Messages remain encrypted from sender to Nitro Enclave

  • Only your Customer KMS keys can decrypt the data retention bot's private keys

  • Decrypted content is immediately re-encrypted with your KMS key before leaving the enclave

Nitro enclave attestation

AWS nitro enclaves provide cryptographic attestation:

  • Each enclave version has a unique attestation

  • Your KMS key policy logs the PCR0, PCR1, PCR2 to CloudTrail during decryption events.

  • Only approved enclave versions can decrypt your messages

  • Automatic updates to KMS policy when new enclave versions are released

Customer KMS key management

You maintain full control over your KMS keys:

  • Key rotation: Enable automatic key rotation in KMS settings

  • Access revocation: Disable the KMS key to immediately stop all decryption

  • Audit trail: CloudTrail logs all KMS key usage

  • Key policies: Customize key policies to restrict access

Data sovereignty

All decrypted data remains in your AWS account:

  • S3 bucket is in your account and region

  • You control bucket policies and access

  • Data never leaves your AWS account boundary

  • You can enable S3 versioning, lifecycle policies, and replication

IAM roles and permissions

The CloudFormation template creates minimal IAM permissions:

  • Wickr service role can only write to your specific S3 bucket

  • Decryption Lambda can only read from your S3 bucket and use your KMS key

  • All actions logged in CloudTrail