Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Verifying the Instance Identity Document in an AMI for the Marketplace

0

We are preparing our product for a paid offering in the AWS marketplace. In order to automatically license our product, we wanted to have a check that it is running from our marketplace listing as described here: https://docs.aws.amazon.com/marketplace/latest/userguide/best-practices-for-building-your-amis.html#verifying-ami-runtime

We would also like to verify the instance identity document using the public certificates listed here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/regions-certs.html

This would mean we would need to ship these certificates on the AMI in order to verify. What are the best practices is for using these certificates. Will they ever be rotated? We are worried that if that happens users running our AMI would have the product stop working. Is there some way we can automate grabbing these on instance startup, or should we simply bake them in with the understanding that they won't expire or be rotated?

Topics
ComputeAWS MarketplaceSecurity, Identity, & Compliance
Tags
Amazon EC2ComputeAWS MarketplaceSecurity, Identity, & Compliance
Language
English
asked 5 months ago97 views
1 Answer
0

To verify your software is running from your AWS Marketplace AMI, you can implement a runtime check using the instance identity document. Here's how to approach this securely:

For basic verification, you can check the marketplaceProductCodes field in the instance identity document to confirm it matches your product code. This can be retrieved via the instance metadata service using either IMDSv2 (recommended) or IMDSv1.

Regarding the verification of the document's authenticity using AWS public certificates, you have several options:

  1. Certificate Handling: AWS public certificates used for instance identity verification are region-specific and vary based on the verification method (PKCS7, base64-encoded, or RSA-2048 signatures).

  2. Certificate Rotation: While the documentation doesn't explicitly state a rotation policy for these certificates, AWS designed this system for long-term stability. The certificates are fundamental to EC2 infrastructure and any changes would be managed carefully to avoid disrupting dependent services.

  3. Recommended Approach: Instead of baking certificates into your AMI, consider:

  • Retrieving the certificates dynamically at runtime from the official AWS documentation URL
  • Implementing a fallback mechanism that uses locally cached certificates only if the dynamic retrieval fails
  • Including a notification system that alerts you if certificate verification fails, allowing you to update your software if needed
  1. Alternative Approach: If you prefer a simpler implementation, you can focus on just verifying the presence of your marketplace product code in the instance identity document. While this doesn't provide cryptographic verification, it's a practical approach that many marketplace products use.

By implementing these practices, you can reliably verify your software is running from your marketplace AMI while maintaining flexibility for any potential future changes to AWS certificates.
Sources
Best practices for building AMIs for use with AWS Marketplace - AWS Marketplace
Verify the instance identity document for an Amazon EC2 instance - Amazon Elastic Compute Cloud
AWS public certificates for instance identity document signatures - Amazon Elastic Compute Cloud
Instance identity documents for Amazon EC2 instances - Amazon Elastic Compute Cloud
Know if the EC2 resources in my AWS account are for Marketplace products | AWS re:Post

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content