Use the base64-encoded signature to verify the instance identity document
This topic explains how to verify the instance identity document using the base64-encoded signature and the AWS RSA public certificate.
To validate the instance identity document using the base64-encoded signature and the AWS RSA public certificate
-
Connect to the instance.
-
Retrieve the base64-encoded signature from the instance metadata, convert it to a byte array, and add it to variable named
$Signature
. Use one of the following commands depending on the IMDS version used by the instance. -
Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named
$Document
. Use one of the following commands depending on the IMDS version used by the instance. -
Find the RSA public certificate for your Region in AWS public certificates and add the contents to a new file named
certificate.pem
. -
Verify the instance identity document.
PS C:\>
[Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Pathcertificate.pem
)).PublicKey.Key.VerifyData($Document
, 'SHA256',$Signature
)If the signature is valid, the command returns
True
. If the signature cannot be verified, contact AWS Support.