Launch an instance with UEFI Secure Boot support
When you launch an instance with the following prerequisites, the instance will automatically validate UEFI boot binaries against its UEFI Secure Boot database. You can also configure UEFI Secure Boot on an instance after launch.
Note
UEFI Secure Boot protects your instance and its operating system against boot flow
modifications. Typically, UEFI Secure Boot is configured as part of the AMI. If
you create a new AMI with different parameters from the base AMI, such as
changing the UefiData
within the AMI, you can disable UEFI Secure
Boot.
Prerequisites
- Linux AMIs
-
To launch a Linux instance, the Linux AMI must have UEFI Secure Boot enabled.
Amazon Linux supports UEFI Secure Boot starting with AL2023 release 2023.1. However, UEFI Secure Boot isn't enabled in the default AMIs. For more information, see UEFI Secure Boot in the AL2023 User Guide. Older versions of Amazon Linux AMIs aren't enabled for UEFI Secure Boot. To use a supported AMI, you must perform a number of configuration steps on your own Linux AMI. For more information, see Create a Linux AMI to support UEFI Secure Boot.
- Windows AMIs
-
To launch a Windows instance, the Windows AMI must have UEFI Secure Boot enabled.
Note
Amazon provides Windows AMIs that are preconfigured for UEFI Secure Boot. AMIs of this type are not available in the China (Beijing) and China (Ningxia) Regions.
Currently, we do not support importing Windows with UEFI Secure Boot by using the import-image command.
- Instance type
-
-
Supported: All virtualized instance types that support UEFI also support UEFI Secure Boot. For the instance types that support UEFI Secure Boot, see Considerations.
-
Not supported: Bare metal instance types do not support UEFI Secure Boot.
-