Deploy in your own AWS account¶

Deploy Caution enclaves in your own AWS infrastructure while Caution handles the build and deployment orchestration.

What is bring your own cloud?¶

Bring your own cloud (BYOC) lets you run confidential enclaves in your own AWS account. A one-time setup script creates isolated AWS infrastructure and a role that can only interact with resources tagged for Caution, then Caution manages deployments within that environment. For full details, see the bring your own cloud reference.

AWS Nitro support today

Caution currently supports deployments on AWS Nitro Enclaves. We are actively working on support for Intel TDX, AMD SEV-SNP, and TPM 2.0 attestations.

What you need¶

Before you begin, ensure you have the following:

What you'll need	Details
Access code	Request access at info@caution.co
Passkey	Browser or platform passkey, password manager passkey, or security key or smart card (YubiKey, NitroKey, or LibremKey)
CLI	Supported today on Linux (x86_64) or macOS (arm64) (install)
Git	For cloning and pushing repositories (install)
Docker	With containerd image store enabled (install)
Containerized app	Your application must be containerized
AWS credentials	For the AWS account where Caution will provision tagged resources

AWS credentials should use a least-privilege IAM role when possible. Admin credentials can be used as an alternative. See bring-your-own-cloud-setup for guidance.

Install the CLI¶

Follow the installation instructions in the CLI README.

Create an account¶

To create an account, you'll need a valid access code and a passkey. You can register in the browser or with the CLI.

If you do not have an access code, request one at info@caution.co.

CLIBrowser

caution register --alpha-code <your_code>

Go to dashboard.caution.co
Enter your access code
Use your passkey method
Click Continue
Approve Passkey interaction when prompted

Add an SSH key¶

Add an SSH key so you can authenticate your Caution deployments:

CLIBrowser

caution ssh-keys add --from-agent

Add an SSH key from the browser dashboard.

Select an application¶

Deploy your own containerized application, or start with one of the Caution demo apps. For this guide, use hello-world-enclave:

git clone https://codeberg.org/caution/demo-hello-world-enclave.git
cd demo-hello-world-enclave

Set up your AWS environment¶

Choose how you want to provision the AWS environment for bring your own cloud deployments. Both paths continue through the Caution CLI for app registration, Git-based deployment, and verification.

CLI-guided provisioning (recommended)¶

Use this path if you want Caution to provision AWS infrastructure and register deployment credentials automatically.

From your application directory, run:

caution init --byoc

This command detects your AWS credentials, provisions the required AWS infrastructure, creates your app on Caution, and registers the deployment credentials automatically.

Manual provisioning¶

Use this path if you want more control over the AWS infrastructure setup before registering the deployment configuration with Caution.

From a working directory, run:

git clone https://codeberg.org/caution/bring-your-own-cloud-setup.git
cd bring-your-own-cloud-setup

cp .env.example .env
# Edit .env with your AWS credentials

docker build -t caution-provisioner-setup .

docker run --rm \
  --env-file .env \
  -v "$(pwd)/out:/out" \
  caution-provisioner-setup

This provisions the required AWS infrastructure and writes credentials.json.gpg to the out/ directory.

Use an existing VPC (Optional)

If you want Caution to provision resources in an existing VPC (Virtual Private Cloud) instead of creating a new one, set VPC_ID=vpc-xxxxxxxx in your .env file before running the Docker command.

To use the generated encrypted credentials, return to your application directory and run:

caution init --byoc --config /path/to/credentials.json.gpg

What the setup creates¶

The setup flow creates an isolated environment for running enclaves in your AWS account:

Resource	Purpose
VPC	Dedicated `/16` VPC with public subnets across multiple availability zones, internet gateway, and routing
S3 Bucket	Stores enclave image files (EIFs). Named `caution-<deployment-id>-images`
EC2 Instance Role	Allows enclave instances to read EIFs from the S3 bucket
Launch Template	Preconfigured template for enclave instances
Auto Scaling Group	Manages enclave instances (starts at 0, Caution scales as needed)
Scoped IAM User	Credentials for Caution, scoped to only these resources

Deploy the application¶

From your application directory, push the code to Caution:

git push caution main

Caution builds a reproducible enclave image and deploys it into the AWS environment you provisioned.

Verify the deployment¶

From your application directory, run the following command to rebuild the image, compare hashes, and confirm exactly what the enclave is running:

caution verify

Cleanup¶

To tear down a BYOC deployment from the CLI, run:

caution teardown --byoc

Run this from your application directory (or ensure local BYOC state exists in ~/.caution/<app>/bring-your-own-cloud.json) and make sure your AWS credentials are available.

If you need manual cleanup details, see the cleanup instructions in the BYOC repo.

Next steps¶

Your application is now running in a verified enclave in your own AWS account. Here's what to explore next:

Bring your own cloud

Run Caution enclaves in your own AWS account.
Deployment configuration

Configure source verification and networking options.
Procfile

Configure how your application builds, runs, and verifies.
Verifiability

Learn how Caution ensures code integrity from source to production.