Validating AMI using hash algorithm?
A customer would like to know if they can validate the consistency of an AMI using a hash algorithm (or any other way, really). Their question goes to both AWS-created AMIs and to their own. I believe we use MD5 to validate when copying AMIs across regions, but I've not yet found a method that the customer might use.
- Newest
- Most votes
- Most comments
As AMIs are stored in a special area of S3, AMIs are by their nature immutable; they are atomic objects which can't be edited bitwise (any editing requires the replacement of the whole object, at which point the AMI ID changes), and S3's own integrity-checking mechanisms continually validate AMI integrity across the multiple copies S3 actually stores.
So, provided the AMI ID hasn't changed, the AMI hasn't, either. This is another area where "we validate and maintain the integrity of customer data, so the customer doesn't have to" :-).
If the customer wants to do their own validation (let's say there's a particular compliance check they need to meet - and if this is the case, we should have a chat with them about their control requirements and the risks they mitigate, in this area) they could restore the AMI to an EC2 instance, and checksum the EBS volumes involved - though this seems like a lot of effort for little risk mitigation.
Relevant content
- Accepted Answer
- asked 9 months ago
- Accepted Answer
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 8 months ago
