Skip to main content

AWS Nitro CloudFormation Solution for Fireblocks Co-Signer

  • Updated

Overview

The AWS Nitro CloudFormation solution provides a secure and automated way to deploy the Fireblocks Co-Signer in a customer-owned AWS environment using a pre-built CloudFormation template. Designed by the Fireblocks Professional Services (PS) team, the deployment leverages AWS Nitro Enclaves to ensure a high level of security for cryptographic signing workflows, and it integrates seamlessly with Fireblocks’ MPC infrastructure.

Purpose and Scope

The CloudFormation template provisions all necessary infrastructure to run a Co-Signer instance securely. It handles computing, storage, key management, logging, and role permissions while allowing for customer-specific configuration such as VPC integration and instance sizing.

The deployment uses AWS services such as EC2 (with Nitro Enclave support), S3, KMS, IAM, and CloudWatch. It ensures that key material and sensitive data are processed within a trusted execution environment and that all interactions follow the principle of least privilege.

Prerequisites

To use this solution, you’ll need:

  • A Fireblocks account with RAW Signing enabled and access to the Co-Signer pairing setup
  • An AWS account with permissions to deploy CloudFormation stacks
  • Existing VPC and subnet(s) where the instance will reside
  • A unique S3 bucket name and KMS alias for storage and key management
  • A PEM-formatted public key to enable Fireblocks pairing
  • Internet access for initial script downloads and instance setup

Deployment

Once launched, the template creates an EC2 instance configured to run the Co-Signer setup script. It dynamically retrieves instance metadata to configure callback URLs, generates necessary public key files, and securely uploads them to a customer-defined S3 bucket. It also creates a dedicated KMS key and alias for encryption operations and configures logging to CloudWatch for visibility into system behavior and health checks.

The instance includes startup scripts to install required packages, configure the cosigner, and schedule periodic health checks to ensure continued uptime and observability.

How do I get the template?

This solution and its deployment instructions are provided directly by the Fireblocks Professional Services team. Contact your Customer Success Manager or Fireblocks PS representative for more information.

 

 

Was this article helpful?
0 out of 0 found this helpful

Related Articles