Authentication of virtual machine images using digital certificates

摘要

A vendor of virtual machine images accesses a virtual computer system service to upload a digitally signed virtual machine image to a data store usable by customers of the virtual computer system service to select an image for creating a virtual machine instance. If a digital certificate is uploaded along with the virtual machine image, the virtual computer system service may determine whether the digital certificate has been trusted for use. If the digital certificate has been trusted for use, the virtual computer system service may use a public cryptographic key to decrypt a hash signature included with the image to obtain a first hash value. The service may additionally apply a hash function to the image itself to obtain a second hash value. If the two hash values match, then the virtual machine image may be deemed to be authentic.

主权项

1. A computer-implemented method for authenticating a virtual machine image, comprising:
under the control of one or more computer systems configured with executable instructions, receiving, from a vendor, a virtual machine image, a digital signature of the virtual machine image, a digital certificate comprising a public cryptographic key usable to verify the digital signature, and one or more policies defining a level of access to the virtual machine image for one or more customers of a computing resource service provider; using the digital certificate and the public cryptographic key to verify the digital signature of the virtual machine image; and as a result of verifying the digital signature of the virtual machine image, making the virtual machine image available for selection in a computing resource service provider marketplace with an indication that the virtual machine image has been verified as authentic;as a result of the customer of the computing resource service provider having selected the virtual machine image, evaluating, by a processor, the one or more policies to determine if the customer is authorized to use the selected virtual machine image; and
as a result of determining that the customer is authorized to use the selected virtual machine image, using the selected virtual machine image to instantiate a virtual machine.