Use the base64-encoded signature to verify the instance identity document - Amazon Elastic Compute Cloud

Use the base64-encoded signature to verify the instance identity document

This topic explains how to verify the instance identity document using the base64-encoded signature and the AWS RSA public certificate.

To validate the instance identity document using the base64-encoded signature and the AWS RSA public certificate

  1. Connect to the instance.

  2. Retrieve the base64-encoded signature from the instance metadata, convert it to binary, and add it to a file named signature. Use one of the following commands depending on the IMDS version used by the instance.

    IMDSv2
    $ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/signature | base64 -d >> signature
    IMDSv1
    $ curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | base64 -d >> signature

  3. Retrieve the plaintext instance identity document from the instance metadata and add it to a file named document. Use one of the following commands depending on the IMDS version used by the instance.

    IMDSv2
    $ TOKEN=`curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"` \
&& curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document >> document
    IMDSv1
    $ curl -s http://169.254.169.254/latest/dynamic/instance-identity/document >> document

  4. Find the RSA public certificate for your Region in AWS public certificates and add the contents to a new file named certificate.

  5. Extract the public key from the AWS RSA public certificate and save it to a file named key.

    $ openssl x509 -pubkey -noout -in certificate >> key

  6. Use OpenSSL dgst command to verify the instance identity document.

    $ openssl dgst -sha256 -verify key -signature signature document

    If the signature is valid, the Verification successful message appears.

    The command also writes the contents of the instance identity document to a new file named document. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.

    $ openssl dgst -sha256 < document
    $ curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256

    If the signature cannot be verified, contact AWS Support.