No, you should use a (poorly named) "password hashing algorithm" which has different security properties from normal cryptographic hash functions.
Later on they indicate that they're using PBKDF2-HMAC-SHA512, which is outdated and not as good as scrypt or bcrypt, both of which are offered in the pycryptodome library they're using. The only reason to use PBKDF2 is for backwards compatibility, or with systems that don't offer better (memory-hard or cache-hard) algorithms. The documentation even states "New applications and protocols should use scrypt or bcrypt instead."
Hardly ultra-secure. They didn't even bother reading the docs of the crypto library they used.
It seems like infra playboys trying to make crypto. Go ahead and make stuff like this, it's great, but don't call it "Ultra Secure". A more apt description would be "Completely unproven and experimental while built on crypto primitives approaching obsolescence".
1. DynamoDB IAM permissions are correct.
2. EC2 IAM is correct.
3. The nitroenclave attestation is securely written, so as to avoid proxy-attestations from the main VM (and other attacks)
4. KMS IAM permissions are correctly written, to avoid direct decryption.
The additional complexity of writing this beast, managing it, making sure that your setup remains maintainable and scalable might be worth it, but you need to compare it to the ROI:
>The salt for any hash cannot be accessed by the attacker to perform a brute-force attack.
Using bcrypt with a high cost factor pretty much guarantees the same.
I'd be more interested in seeing a SGX-like solution using NitroEnclaves. Perhaps something that solves the Signal Contact Discovery problem?
If you go beyond peppering and also use encryption to protect the whole password database you can get additional benefits like keeping the list of usernames secret.
It can be useful as a "defense in depth" thing, but it's not a particularly meaningful improvement to practical security.
I'm not a encryption expert, but reading the article got the impression that bcrypt is superior, at least is IMO is easier to use
EDIT: No, I'm not really right about this, as explained here: https://news.ycombinator.com/item?id=25011716
I'll give it some proprs over the current mainstream stuff, which you have no idea how it works, at least there's some spec here.