Maintaining an Attestable State Requirements for creating Attestable AMIs Creating Attestable AMIs

Attestable AMIs

An Attestable AMI is an Amazon Machine Image with a corresponding cryptographic hash that represents all of its contents. The hash is generated during the AMI creation process, and it is calculated based on the entire contents of that AMI, including the applications, code, and boot process.

Maintaining an Attestable State

An instance's measurements are based on its boot initial state. Any software or code changes made to the instance after launch and that persist after restarts will change the instance's measurement after restarts. If the measurements are altered, they deviate from the reference measurements of the Attestable AMI, and the instance will no longer be able to successfully attest to AWS KMS after the instance restarts. Therefore, for Attestable AMIs to be useful, instances need to return to their original boot state after they restart.

Always returning to the original boot state ensures that an instance can successfully attest after it restarts. The following utilities can be used to ensure that your instances remain attestable after restarts:

erofs — Enhanced Read-Only File System. This utility ensures that your root filesystem is read-only. With this utility, writes to the filesystem, including /etc, /run, and /var, are stored in memory and lost when the instance is restarted, leaving the root filesystem in its original launch state. For more information, see the erofs documentation.
dm-verity — Provides integrity protection for the read-only root filesystem. The utility calculates a hash of the filesystem blocks and stores it in the kernel command line. This allows the kernel to verify the integrity of the filesystem during boot. For more information, see the dm-verity documentation.

Requirements for creating Attestable AMIs

Attestable AMIs have the following requirements:

Base operating system – AWS Amazon Linux 2022 and NixOS
Architecture – x86_64 or arm64 architecture
TPM support – NitroTPM must be enabled. For more information, see Requirements for using NitroTPM with Amazon EC2 instances.
Boot mode – UEFI boot mode must be enabled.

Topics

Creating Attestable AMIs

To create an Attestable AMI, you will need to use Amazon Linux 2023 with KIWI Next Generation (KIWI NG). Amazon Linux 2023 provides all of the software and utilities needed to build an Attestable AMI using KIWI NG.

KIWI NG is an open-source tool for building pre-configured Linux-based images. KIWI NG uses XML image descriptions that define the contents of an image. The image description specifies the base operating system, software, kernel configuration, and scripts to run in order to build a ready-to-use AMI for a specific use case.

During AMI build time, you need to use the nitro-tpm-pcr-compute utility to generate the reference measurements based on the Unified Kernel Image (UKI) generated by KIWI NG. For more information about using the nitro-tpm-pcr-compute utility, see Compute PCR measurements for a custom AMI.

AWS provides a sample Amazon Linux 2023 image description that includes all configurations needed to configure an EC2 instance in an isolated compute environment. For more information, see Build the sample Amazon Linux 2023 image description.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

EC2 instance attestation

Build the sample Amazon Linux 2023 image description