Reputation: 1375
Can I associate metadata with an AWS Marketplace AMI?
I have three questions regarding AWS Marketplace AMI's:
- Can I associate metadata with an AMI that I offer in the AWS Marketplace?
- Can I read this metadata from inside an instance created from that AMI?
- Can I ensure that this metadata can't be falsified? E.g. I could sign its contents with a private key.
Why? I want to ensure that people can't copy the software in my AMI and use it outside of my AMI. I figure that if my software could query metadata about the AMI of the current instance and that metadata contained unfalsifiable information tying the AMI to me then that wouldn't be possible.
Upvotes: 0
Views: 352
Answers (1)
Reputation: 179214
Every EC2 instance has an Instance Identity Document that provides information about the instance, including its instance ID, placement, etc. This document is signed by AWS so that you can validate it with a public key.
It includes the AMI ID and even appears to provide your product id, though it's not clear from the documentation whether "billingProducts" refers to this or something else.
This is not entirely fool-proof, for a variety of reasons, including the fact that you will necessarily need to embed the public key in your code in order to validate the signature, and if I have a copy of your code -- and am sufficiently determined -- then I could overwrite that part with my own key and then forge the identitity document... but then any time you allow me access to a copy of your code, you always take that same risk. It's not an inherent limitation in what AWS has provided but rather a problem that lies in the fact that nothing running on my server is perfectly immune to my tampering... but it seems sufficient to keep honest people honest and I would suggest that nothing beyond this is possible.
If you familiar with EC2 instance metadata in general, you no doubt recognize http://169.254.169.254/. If not: this is a special (link local) address that provides the endpoint to the EC2 metadata service. It's a strange looking address, but every EC2 instance sees its own view when accessing that endpoint. The IP address doesn't change across instances, availability zones, regions, accounts, etc., and the service is provided by the EC2 infrastructure, not by anything running on the instance itself.
The instance owner is not billed for http requests to this endpoint so your code can check it as often as seems reasonable.
Upvotes: 1
Related Questions
- Deploy a free product from AWS Marketplace via an API?
- Is it possible to get an EC2 instances tags using the metadata api?
- AWS Lambda Python for AMI Tagging after Creation
- How to make EC2 "inherit" tags from AMI
- Are there any way to get ecs instance metadata?
- Can I get AMI details with out creating the EC2 instance from AMI in AWS
- Is it possible to launch an AWS marketplace AMI to an existing instance?
- Can I get metadata from an EC2 that was not made in CloudFormation?
- Instance Store AMI from a customized EBS-backed instance
- Amazon EC2 instance metadata