Skip to content

Bring your own cloud

Learn how bring your own cloud works, what stays in your AWS account, and what Caution manages within that boundary.

Overview

Bring your own cloud (BYOC) lets you run confidential enclaves in your own AWS account. A one-time setup script creates isolated AWS infrastructure and a role scoped to resources tagged for Caution, then Caution manages deployments within that environment.

It is best for teams that:

  • Need workloads and data to stay in their own AWS account
  • Need control over AWS billing and account boundaries
  • Want Caution to manage enclave operations within their environment

For a side-by-side comparison with other deployment options, see deployment models.

Responsibility split

In bring your own cloud, Caution manages builds and the enclave lifecycle in your AWS account, while you retain control over the account, network boundaries, and where data resides.

You control:

  • Your AWS account and billing
  • Network configuration and VPC
  • Where your data resides

Caution handles:

  • Application builds
  • Enclave lifecycle management
  • Deployment orchestration in your AWS account, including uploading EIFs to your S3 bucket, launch templates, and Elastic IP assignment

How it works

To deploy with bring your own cloud, you'll need a containerized application, Docker, and AWS credentials for the target account.

Once you have everything in place, the setup flow looks like this:

  1. Provide AWS credentials and run the setup flow from your application directory.
  2. Caution provisions an isolated environment in your AWS account and registers scoped credentials for the deployment.
  3. Deploy your application and let Caution manage the enclave lifecycle within that environment.

Setup guide

For the full step-by-step setup and deployment flow, see the bring your own cloud guide.

Security model

Tag-based resource scoping

All resources are tagged with:

caution:deployment-id = <deployment-id>

The IAM policy uses AWS condition keys to enforce scope:

  • aws:ResourceTag/caution:deployment-id - For existing resources
  • aws:RequestTag/caution:deployment-id - For new resources

What the scoped credentials CAN do

  • Read/write EIF images to the deployment's S3 bucket
  • Start/stop/terminate EC2 instances with the deployment tag
  • Create new instances via the ASG (automatically tagged)
  • Manage volumes, security groups, and EIPs with the deployment tag
  • Scale the specific Auto Scaling Group
  • Create and manage launch template versions

What the scoped credentials CANNOT do

  • Access any resources without the deployment tag
  • Access other S3 buckets
  • Modify other Auto Scaling Groups or launch templates
  • Access resources in other deployments
  • Escalate privileges or modify IAM policies
  • Access network resources outside the deployment VPC

Instance types

Caution automatically selects an appropriate Nitro Enclave-compatible instance based on your CPU and memory requirements:

Instance vCPUs Memory Enclave capacity
m5.xlarge 4 16 GB Up to 2 CPUs, 14 GB
m5.2xlarge 8 32 GB Up to 6 CPUs, 30 GB
m5.4xlarge 16 64 GB Up to 14 CPUs, 62 GB
m5.8xlarge 32 128 GB Up to 30 CPUs, 126 GB

The host instance reserves ~2 vCPUs and ~2 GB memory for the parent instance.

Maintenance

These tasks apply to existing bring your own cloud deployments after provisioning, for example when you need to refresh IAM permissions or remove the AWS resources created during setup.

Updating IAM policy

To update the IAM policy for an existing deployment (for example, after script improvements), set DEPLOYMENT_ID and VPC_ID in your .env file, then run: 

docker run --rm \
  --env-file .env \
  caution-provisioner-setup python setup.py --update-policy

Cleanup

To remove all resources created by the setup, see the cleanup instructions in the BYOC repo.

See also