How EC2 instance attestation replaces implied trust
Before we get into this week's deep dive, a quick spotlight: our Master AWS Certified Solutions Architect Associate SAA-C03 Exam course just got a major refresh — 273 lessons covering everything from IAM policies and access controls to EC2 compute architecture and security best practices. If you're building on AWS (or preparing to certify), it's one of the most comprehensive ways to level up your cloud security knowledge.
Now, onto the newsletter. This week, we're tackling a question most teams never think to ask: how do you actually know your EC2 instance hasn't been tampered with? For years, AWS relied on implied trust — if the instance identity document checked out, the machine was assumed safe. EC2 instance attestation changes that model entirely, using cryptographic verification to prove boot integrity before granting access to secrets. We break down how it works, why identity alone isn't enough, and what this means for your security posture.
Launching an EC2 instance in AWS appears simple. You run a command, the instance starts, and you assume it’s ready to serve traffic. For years, this has created a model of implied trust. If an instance looked healthy, it was assumed to be safe.
The instance identity document (IID) is the reason for that trust. Think of it as your server’s ID card. It tells you:
Who it belongs to: Account ID
Which instance is it: Instance ID
Where it lives: Availability Zone and Region
How it’s built: AMI ID and architecture
If the IID matched expectations, everything else was assumed to be fine. The limitation is that the IID proves identity, not integrity.
Consider a case where an attacker installs a boot-level rootkit on an EC2 instance. On the next boot:
It still has a valid instance ID.
It still belongs to your AWS account.
Your IAM roles still grant full access to sensitive S3 buckets.
From the IID’s perspective, nothing is wrong, but from the real world’s perspective, your instance is compromised. The IID can’t tell you what is running on the machine.
That’s where EC2 instance attestation comes in. It moves us from implied trust to cryptographic certainty, allowing the instance to prove, mathematically, that its operating system has not been tampered with, byte by byte, before accessing a single secret.
Understanding the core mechanism of EC2 Instance attestation#
To prevent tampering, we need a witness outside the instance itself. If the OS is compromised, it can’t be trusted to tell the truth about itself. AWS provides this via the Nitro System, specifically NitroTPM.
NitroTPM: The independent witness#
NitroTPM is a virtual Trusted Platform Module (TPM 2.0) running under the Nitro Hypervisor, isolated from the EC2 instance. It’s like having a security camera that watches your instance from the outside. Even if an attacker has root access inside the instance, they cannot tamper with what the TPM has recorded.
Attestation document#
The Attestation Document is a cryptographically signed report generated by the Nitro Hypervisor through the instance’s isolated Trusted Platform Module (TPM). It provides a verifiable proof of the instance’s integrity, showing that the boot process and critical software components (like the kernel and bootloader) match a trusted, expected state.
When the instance boots, NitroTPM calculates cryptographic hashes (
PCR Index | Component Measured | Details |
PCR0/ PCR1 | Core system firmware executable code/data | Generally contains a constant value set by AWS for the early boot code/data. |
PCR2/ PCR3 | Extended or pluggable executable code/data | Measures third-party or extended boot-time code/data configuration. |
PCR4 | Boot manager code | Critical for standard boot Attestable AMIs. Measures cryptographic hashes of all binaries executed by the UEFI environment. |
If someone modifies the kernel, the PCR4 hash changes. This provides a cryptographic fingerprint that proves the instance’s state is no longer trusted.
Use case: Securing secrets with AWS KMS attestation#
The Attestation Document allows external services, such as AWS KMS or monitoring tools, to mathematically verify that the instance has not been altered before granting access to secrets or performing sensitive operations.
Extending trust to external systems#
The integrity verified by the Attestation Document is not limited to AWS services. Enterprise secrets managers, such as HashiCorp Vault, can also be configured to accept the EC2 attestation proof as a condition for authentication. This allows organizations to establish a unified, cryptographic chain of trust across their multi-cloud or hybrid environments.
Continuous integrity monitoring#
Beyond initial secret access, this approach supports continuous security monitoring. Security and compliance pipelines can periodically challenge running instances and request a fresh Attestation Document. By comparing current PCR values against an established golden image baseline, security teams can detect instances where the kernel or boot files were compromised after launch and automatically quarantine them. This supports faster incident response.
Comparing the IID and the Attestation Document#
Feature | Instance Identity Document (IID) | Attestation Document |
Focus | Identity (Who am I?) | Integrity (What state am I in?) |
Source of Information | Metadata service, instance launch parameters | NitroTPM measurements of the boot process and configuration |
Data | Instance ID, Account ID, AMI, architecture, AZ, region | Cryptographic hashes of BIOS, Bootloader, Kernel (PCRs) |
Source | Instance Metadata Service (IMDS) | Nitro Hypervisor via TPM |
Main Use Case | Service-to-service authentication (e.g., a custom application validating that a request came from a specific EC2 instance). | Granting access to sensitive keys/secrets (e.g., AWS KMS or HashiCorp Vault) only if the integrity is verified. |
The IID proves ownership of the instance, while the Attestation Document proves the instance is trustworthy and safe to operate. Together, they form a complete picture of identity and integrity, enabling strong, verifiable trust in your cloud infrastructure.
How attestation works#
AWS describes the workflow in two main steps, which conceptually cover four phases: measurement, challenge, signing, and verification.
Create an attestable AMI (reference measurement)#
To verify integrity, you first establish a trusted baseline. Launch an instance in a secure, clean-room environment and record its PCR measurements. At boot, each PCR starts from a known value, typically all zeros. As each critical component loads, such as the bootloader, kernel, or application image, the Nitro Hypervisor computes a cryptographic hash of that component. This new measurement is used to update the PCR value using the formula:
Where hash is the cryptographic function, typically SHA-256 or SHA-384 in Nitro. The cryptographic hash of the kernel and bootloader. This hash is then locked into your KMS policy as the golden image. It serves as an immutable reference; only instances that match this exact fingerprint are cryptographically proven to be untampered.
Verify instance state (challenge and verification)#
Launch production instances from the Attestable AMI. Compare their PCR values with the baseline. Matching PCRs mean trust; mismatched PCRs indicate compromise.
To understand how these steps occur in real time, we must examine the interaction between the software (EC2) and the hardware (Nitro TPM).
How NitroTPM validates instance integrity before releasing secrets#
The process of cryptographic attestation involves four distinct phases, ensuring the instance’s state is verified before any sensitive operations are permitted:
Measurement (Boot): As the instance boots, the Nitro TPM silently records hashes of the kernel and bootloader in shielded memory slots (PCRs).
Challenge: When your application needs a secret, it requests proof of integrity.
Signing: The Nitro Hypervisor reads the PCR values and signs them with a secure AWS private key to prove authenticity.
Verification: The relying party (e.g., AWS KMS) validates the signature and compares the PCRs against your “Golden Image.” If they match, the secret is released.
Practical steps: Building trust from boot to secret access#
To demonstrate EC2 instance attestation, the focus is on creating and verifying an attestation-ready instance rather than a generic AMI. This allows the software state, reflected in its PCRs, to be measured and verified before the instance is trusted with secrets.
Prerequisites#
To follow along, ensure you have the following:
AWS account with CLI installed: You’ll need AWS CLI access to launch instances and configure options.
Nitro-based instance type: Use a Nitro-based instance (e.g.,
m5.largeor similar), which supports TPM (Trusted Platform Module) attestation.TPM utilities installed: Install
tpm2-toolsinside the instance to read PCR (Platform Configuration Register) values. PCRs store measurements of the booted software environment.Optional tools for attestation document extraction: Installing
nitro-cliornitro-tpm-attestallows you to retrieve the full attestation document from the instance, which contains cryptographic proof of the system’s state.
Why: These prerequisites ensure you have the tools and environment necessary to verify that your EC2 instance is trustworthy before accessing sensitive secrets.
Step 1: Launch a protected instance#
To establish a trusted environment, the TPM must be enabled at the time of launch. This ensures the system records cryptographic measurements during boot.
aws ec2 run-instances \--image-id ami-0c55b159cbfafe1f0 \--instance-type m5.large \--key-name MyKeyPair \--options TpmSupport=v2.0 \--boot-mode uefi
TpmSupport=v2.0enables the TPM for attestation.boot-mode uefiensures the system boots in a secure, modern mode compatible with TPM measurements.
This establishes the initial root of trust, where the hardware measures each stage of the boot process.
Step 2: Verify the “fingerprint” (PCR values)#
Next, we verify the instance’s digital fingerprint, also known as PCR values. This fingerprint represents the golden measurement of a known-good boot environment.
sudo dnf install tpm2-toolssudo tpm2_pcrread sha384:4
This command outputs a SHA-384 hash corresponding to PCR 4 (kernel measurement).
Why: Recording this value establishes a baseline, ensuring that future measurements can be compared against a known, trusted state. Any unexpected changes in the kernel or boot process will be detectable.
Optional: Extract the full Attestation Document:
Note: You can install this utility from the AWS NitroTPM samples.
sudo ./nitro-tpm-attest --output attestation_doc.bin
You can now decode this CBOR/COSE signed document using Python libraries like cbor2 and cose to inspect the PCR values and verify the Nitro Hypervisor’s signature.
Step 3: The “fail-safe mechanism” (Sealing secrets)#
The TPM can protect secrets so that they are only released if PCR 4 matches the golden measurement:
Encrypt API keys, disk encryption keys, or tokens.
If the kernel is modified, the TPM refuses to release the secret.
Optionally integrate with KMS using a policy like:
{"Condition": {"StringEquals": {"kms:RecipientAttestation:NitroTPMPCR4": "<expected-hash>"}}}
The KMS decryption is only allowed when the system is verified to be in a trusted state.
This “fail-safe mechanism” is the final link in your chain of trust, tying sensitive data access to a verified, unmodified system.
Conclusion#
EC2 instance attestation changes how trust is established in cloud environments. Rather than relying solely on identity, it verifies software integrity:
Identity confirms instance ownership.
Attestation verified the integrity of the software running on that instance.
In a Zero Trust security model, this distinction matters. By binding secrets to a verified system state, you reduce the risk of attacks such as rootkits and boot-level compromises. EC2 instance attestation protects workloads while supporting compliance requirements and stronger operational guarantees.
Ready to put your learning into practice? Explore the following Cloud Labs:
