Requirements for using NitroTPM with Amazon EC2 instances - Amazon Elastic Compute Cloud
AMIsInstance typesConsiderations

Requirements for using NitroTPM with Amazon EC2 instances

To launch an instance with NitroTPM enabled, you must meet the following requirements.

AMIs

The AMI must have NitroTPM enabled.

Linux AMIs

There are no preconfigured AMIs. You must configure your own AMI. For more information, see Enable a Linux AMI for NitroTPM.

Windows AMIs

The following Windows AMIs are preconfigured to enable NitroTPM and UEFI Secure Boot with Microsoft keys:

  • TPM-Windows_Server-2022-English-Core-Base

  • TPM-Windows_Server-2022-English-Full-Base

  • TPM-Windows_Server-2022-English-Full-SQL_2022_Enterprise

  • TPM-Windows_Server-2022-English-Full-SQL_2022_Standard

  • TPM-Windows_Server-2019-English-Core-Base

  • TPM-Windows_Server-2019-English-Full-Base

  • TPM-Windows_Server-2019-English-Full-SQL_2019_Enterprise

  • TPM-Windows_Server-2019-English-Full-SQL_2019_Standard

  • TPM-Windows_Server-2016-English-Core-Base

  • TPM-Windows_Server-2016-English-Full-Base

Note

Operating system — The AMI must include an operating system with a TPM 2.0 Command Response Buffer (CRB) driver. Most current operating systems include a TPM 2.0 CRB driver.

UEFI boot mode — The AMI must be configured for UEFI boot mode. For more information, see UEFI Secure Boot for Amazon EC2 instances.

Instance types

You must use one of the following virtualized instance types:

  • General purpose: M5, M5a, M5ad, M5d, M5dn, M5n, M5zn, M6a, M6i, M6id, M6idn, M6in, M7a, M7i, M7i-flex, T3, T3a

  • Compute optimized: C5, C5a, C5ad, C5d, C5n, C6a, C6i, C6id, C6in, C7a, C7i, C7i-flex

  • Memory optimized: R5, R5a, R5ad, R5b, R5d, R5dn, R5n, R6a, R6i, R6idn, R6in, R6id, R7a, R7i, R7iz, U7i-12tb, U7in-16tb, U7in-24tb, U7in-32tb, X2idn, X2iedn, X2iezn, z1d

  • Storage optimized: D3, D3en, I3en, I4i

  • Accelerated computing: G4dn, G5, G6, Gr6, Inf1, Inf2

  • High-performance computing: Hpc6a, Hpc6id

Considerations

The following considerations apply when using NitroTPM:

  • After you launch an instance using an AMI with NitroTPM enabled, if you want to change the instance type, the new instance type that you choose must also support NitroTPM.

  • BitLocker volumes that are encrypted with NitroTPM-based keys can only be used on the original instance.

  • The NitroTPM state is not displayed in the Amazon EC2 console.

  • The NitroTPM state is not included in Amazon EBS snapshots.

  • The NitroTPM state is not included in VM Import/Export images.

  • NitroTPM is not supported on AWS Outposts., Local Zones, or Wavelength Zones.