Use the RSA-2048 signature to verify the instance identity document - Amazon Elastic Compute Cloud

Use the RSA-2048 signature to verify the instance identity document

This topic explains how to verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate.

To verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate

  1. Connect to the instance.

  2. Retrieve the RSA-2048 signature from the instance metadata and add it to a file named rsa2048 along the required header and footer. Use one of the following commands depending on the IMDS version used by the instance.

    IMDSv2
    $ echo "-----BEGIN PKCS7-----" >> rsa2048 \
&& TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/rsa2048 >> rsa2048 \
&& echo "" >> rsa2048 \
&& echo "-----END PKCS7-----" >> rsa2048
    IMDSv1
    $ echo "-----BEGIN PKCS7-----" >> rsa2048 \
&& curl -s http://169.254.169.254/latest/dynamic/instance-identity/rsa2048 >> rsa2048 \
&& echo "" >> rsa2048 \
&& echo "-----END PKCS7-----" >> rsa2048

  3. Find the RSA-2048 public certificate for your Region in AWS public certificates and add the contents to a new file named certificate.

  4. Use the OpenSSL smime command to verify the signature. Include the -verify option to indicate that the signature needs to be verified, and the -noverify option to indicate that the certificate does not need to be verified.

    $ openssl smime -verify -in rsa2048 -inform PEM -certfile certificate -noverify | tee document

    If the signature is valid, the Verification successful message appears. If the signature cannot be verified, contact AWS Support.