Use the base64-encoded signature to verify the instance identity document

This topic explains how to verify the instance identity document using the base64-encoded signature and the AWS RSA public certificate.

To validate the instance identity document using the base64-encoded signature and the AWS RSA public certificate

Connect to the instance.

Retrieve the base64-encoded signature from the instance metadata, convert it to a byte array, and add it to variable named $Signature. Use one of the following commands depending on the IMDS version used by the instance.

Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named $Document. Use one of the following commands depending on the IMDS version used by the instance.

Find the RSA public certificate for your Region in AWS public certificates and add the contents to a new file named certificate.pem.

Verify the instance identity document.


PS C:\> [Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Path certificate.pem)).PublicKey.Key.VerifyData($Document, 'SHA256', $Signature)

If the signature is valid, the command returns True. If the signature cannot be verified, contact AWS Support.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Verify using the PKCS7 signature

Verify using the RSA-2048 signature