Verify the instance identity document for an Amazon EC2 instance

Connect to the instance.

Retrieve the PKCS7 signature from the instance metadata and add it to a new file named pkcs7 along with the required header and footer. Use one of the following commands depending on the IMDS version used by the instance.

Find the DSA public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.

Use the OpenSSL smime command to verify the signature. Include the -verify option to indicate that the signature needs to be verified, and the -noverify option to indicate that the certificate does not need to be verified.

$ openssl smime -verify -in pkcs7 -inform PEM -certfile certificate -noverify | tee document

If the signature is valid, the Verification successful message appears.

The command also writes the contents of the instance identity document to a new file named document. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.

$ openssl dgst -sha256 < document

$ curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256

If the signature cannot be verified, contact Support.

Connect to the instance.

Retrieve the PKCS7 signature from the instance metadata, convert it to a byte array, and add it to a variable named $Signature. Use one of the following commands depending on the IMDS version used by the instance.

Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named $Document. Use one of the following commands depending on the IMDS version used by the instance.

Find the DSA public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.pem.

Extract the certificate from the certificate file and store it in a variable named $Store.

PS C:\> $Store = [Security.Cryptography.X509Certificates.X509Certificate2Collection]::new([Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Path certificate.pem)))

Verify the signature.

PS C:\> $SignatureDocument = [Security.Cryptography.Pkcs.SignedCms]::new()

PS C:\> $SignatureDocument.Decode($Signature)

PS C:\> $SignatureDocument.CheckSignature($Store, $true)

If the signature is valid, the command returns no output. If the signature cannot be verified, the command returns Exception calling "CheckSignature" with "2" argument(s): "Cannot find the original signer. If your signature cannot be verified, contact AWS Support.

Validate the content of the instance identity document.

PS C:\> [Linq.Enumerable]::SequenceEqual($SignatureDocument.ContentInfo.Content, $Document)

If the content of the instance identity document is valid, the command returns True. If instance identity document can't be validated, contact AWS Support.

Connect to the instance.

Retrieve the base64-encoded signature from the instance metadata, convert it to binary, and add it to a file named signature. Use one of the following commands depending on the IMDS version used by the instance.

Retrieve the plaintext instance identity document from the instance metadata and add it to a file named document. Use one of the following commands depending on the IMDS version used by the instance.

Find the RSA public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.

Extract the public key from the AWS RSA public certificate and save it to a file named key.

$ openssl x509 -pubkey -noout -in certificate >> key

Use OpenSSL dgst command to verify the instance identity document.

$ openssl dgst -sha256 -verify key -signature signature document

If the signature is valid, the Verification successful message appears.

The command also writes the contents of the instance identity document to a new file named document. You can compare the contents of the of the instance identity document from the instance metadata with the contents of this file using the following commands.

$ openssl dgst -sha256 < document

$ curl -s -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/document | openssl dgst -sha256

If the signature cannot be verified, contact Support.

Connect to the instance.

Retrieve the base64-encoded signature from the instance metadata, convert it to a byte array, and add it to variable named $Signature. Use one of the following commands depending on the IMDS version used by the instance.

Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named $Document. Use one of the following commands depending on the IMDS version used by the instance.

Find the RSA public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.pem.

Verify the instance identity document.

PS C:\> [Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Path certificate.pem)).PublicKey.Key.VerifyData($Document, 'SHA256', $Signature)

If the signature is valid, the command returns True. If the signature cannot be verified, contact Support.

Connect to the instance.

Retrieve the RSA-2048 signature from the instance metadata and add it to a file named rsa2048 along the required header and footer. Use one of the following commands depending on the IMDS version used by the instance.

Find the RSA-2048 public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.

Use the OpenSSL smime command to verify the signature. Include the -verify option to indicate that the signature needs to be verified, and the -noverify option to indicate that the certificate does not need to be verified.

$ openssl smime -verify -in rsa2048 -inform PEM -certfile certificate -noverify | tee document

If the signature is valid, the Verification successful message appears. If the signature cannot be verified, contact Support.

Connect to the instance.

Retrieve the RSA-2048 signature from the instance metadata, convert it to a byte array, and add it to a variable named $Signature. Use one of the following commands depending on the IMDS version used by the instance.

Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named $Document. Use one of the following commands depending on the IMDS version used by the instance.

Find the RSA-2048 public certificate for your Region in AWS public certificates for instance identity document signatures and add the contents to a new file named certificate.pem.

Extract the certificate from the certificate file and store it in a variable named $Store.

PS C:\> $Store = [Security.Cryptography.X509Certificates.X509Certificate2Collection]::new([Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Path certificate.pem)))

Verify the signature.

PS C:\> $SignatureDocument = [Security.Cryptography.Pkcs.SignedCms]::new()

PS C:\> $SignatureDocument.Decode($Signature)

PS C:\> $SignatureDocument.CheckSignature($Store, $true)

If the signature is valid, the command returns no output. If the signature cannot be verified, the command returns Exception calling "CheckSignature" with "2" argument(s): "Cannot find the original signer. If your signature cannot be verified, contact AWS Support.

Validate the content of the instance identity document.

PS C:\> [Linq.Enumerable]::SequenceEqual($SignatureDocument.ContentInfo.Content, $Document)

If the content of the instance identity document is valid, the command returns True. If instance identity document can't be validated, contact AWS Support.