Fireblocks Professional Services provides a CloudFormation template for deploying the API Co-signer on AWS Nitro Enclaves in a customer-owned AWS account. This article describes the template's purpose, prerequisites, and how to obtain it. It is intended for customers engaged with Fireblocks Professional Services on a CloudFormation-based deployment.
Not doing a CloudFormation deployment? If you are setting up the Co-signer on AWS Nitro manually, this article does not apply. See the standard AWS Nitro deployment guide instead.
When to use this template
Use this template when you are working with Fireblocks Professional Services on a CloudFormation-based Co-signer deployment. The template automates infrastructure provisioning that would otherwise require manual configuration, and it is delivered as part of a Professional Services engagement.
For all other AWS Nitro deployments, including standard manual setups, follow the regular AWS Nitro deployment guide. This CloudFormation template is not a drop-in replacement for the manual procedure, and the two paths are configured differently.
What the template provisions
The template provisions a complete Co-signer environment as a single CloudFormation stack. Unlike a manual Nitro deployment, where each AWS resource is created and configured individually, the template handles instance creation, key management setup, storage configuration, and logging in one operation.
Resources created by the stack include:
- An EC2 instance with AWS Nitro Enclaves enabled, sized per the parameters you provide
- A dedicated KMS key and alias for Co-signer encryption operations
- An S3 bucket for Co-signer artifacts, using the bucket name you specify
- IAM roles and policies scoped to the principle of least privilege
- CloudWatch logging for system health and observability
At launch, the instance runs a setup script that retrieves its metadata, generates the public key files required for Fireblocks pairing, and uploads them to the S3 bucket. The script also installs required packages, configures the Co-signer, and schedules periodic health checks.
Prerequisites
To deploy this template, you need:
- A Fireblocks account with access to API Co-signer pairing
- An AWS account with permissions to deploy CloudFormation stacks and create the resource types listed above
- An existing VPC and subnet where the EC2 instance will reside
- A unique S3 bucket name and KMS alias for the stack to use
- A PEM-formatted public key for Fireblocks pairing
- Outbound internet access from the instance for initial package downloads
How to get the template
The CloudFormation template and its deployment instructions are distributed directly by Fireblocks Professional Services. Contact your Customer Success Manager or Professional Services representative to request access.