Skip to content

support EC2 instance attestation #4680

New issue
New issue
Open
Open
support EC2 instance attestation#4680
Labels
area/coreIssues core to the OS (variant independent)status/in-progressThis issue is currently being worked ontype/enhancementNew feature or request
@bcressey

Description

@bcressey
bcressey
opened on Nov 4, 2025

What I'd like:
I'd like to have a way to configure AWS variants to support EC2 instance attestation, with the end goal of being able to configure EC2 instances via user-data and arriving at a reasonable remote attestation story.

The ideal end state is to be able to assert that a particular system can only run trusted container images using trusted OCI runtime specs, and furthermore that it's not possible to change that configuration afterwards without changing the reported PCR values, bricking the machine, or both.

Any alternatives you've considered:
The existing AMIs can be re-registered with a TPM2 device, and some of the PCR values are already populated in a useful way (7 and 14).

However, making this a first-class feature with documented behavior for PCR measurements and OS-level guarantees is required to reach the ideal end state.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/coreIssues core to the OS (variant independent)status/in-progressThis issue is currently being worked ontype/enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions