The AWS Metadata Service Trust Provider supports attestation of Client Workloads and Agent Controller identities in AWS environments (running either directly on EC2 instances or on managed AWS EKS).
The AWS Metadata Service Trust Provider relies on the AWS Metadata Service for instance identity document.
Match rules
Section titled “Match rules”The following match rules are available for this Trust Provider type:
- accountId
- architecture
- availabilityZone
- billingProducts
- imageId
- instanceId
- instanceType
- kernelId
- marketplaceProductCodes
- pendingTime
- privateIP
- region
- version
Please refer to the AWS documentation for a detailed description of match rule fields available in the identity document.
Additional configurations
Section titled “Additional configurations”Aembit requires one of AWS’s public certificates to verify the identity document signature. Please download the certificate from the AWS public certificate page for the region where your Client Workloads are located. Please use certificates under the RSA tabs on the AWS documentation page and paste the appropriate certificate into Certificate field on the Trust Provider page.