- Keys or other secrets can only be decrypted (via KMS) by an EC2 instance if it is running an approved AMI.
- You could build a certificate authority (CA) which only issues a certificate to an instance running an approved AMI.
This is similar to the functionality that was available in Nitro Enclaves. However, enclaves came with restrictions (such as only being able to communicate through a vsock) that made them not a great fit for all use cases.
If there is more friction to communicate with me I expect to hear from people less often.
As an example, my friends that only use Discord and not SMS or Signal definitely hear from me less frequently. It doesn’t mean we’re not friends, but we do communicate less frequently.