Set up the Amazon EC2 AMI tools
You can use the AMI tools to create and manage Amazon S3-backed Linux AMIs. To use the tools, you must install them on your Linux instance. The AMI tools are available as both an RPM and as a .zip file for Linux distributions that don't support RPM.
To set up the AMI tools using the RPM
- 
				Install Ruby using the package manager for your Linux distribution, such as yum. For example: [ec2-user ~]$sudo yum install -y ruby
- 
				Download the RPM file using a tool such as wget or curl. For example: [ec2-user ~]$wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.noarch.rpm
- 
				Verify the RPM file's signature using the following command: [ec2-user ~]$rpm -K ec2-ami-tools.noarch.rpmThe command above should indicate that the file's SHA1 and MD5 hashes are OK.If the command indicates that the hashes areNOT OK, use the following command to view the file's Header SHA1 and MD5 hashes:[ec2-user ~]$rpm -Kv ec2-ami-tools.noarch.rpmThen, compare your file's Header SHA1 and MD5 hashes with the following verified AMI tools hashes to confirm the file's authenticity: - Header SHA1: a1f662d6f25f69871104e6a62187fa4df508f880 
- MD5: 9faff05258064e2f7909b66142de6782 
 If your file's Header SHA1 and MD5 hashes match the verified AMI tools hashes, continue to the next step. 
- 
				Install the RPM using the following command: [ec2-user ~]$sudo yum install ec2-ami-tools.noarch.rpm
- 
				Verify your AMI tools installation using the ec2-ami-tools-version command. [ec2-user ~]$ec2-ami-tools-versionNoteIf you receive a load error such as "cannot load such file -- ec2/amitools/version (LoadError)", complete the next step to add the location of your AMI tools installation to your RUBYLIBpath.
- 
				(Optional) If you received an error in the previous step, add the location of your AMI tools installation to your RUBYLIBpath.- 
						Run the following command to determine the paths to add. [ec2-user ~]$rpm -qil ec2-ami-tools | grep ec2/amitools/version/usr/lib/ruby/site_ruby/ec2/amitools/version.rb /usr/lib64/ruby/site_ruby/ec2/amitools/version.rbIn the above example, the missing file from the previous load error is located at /usr/lib/ruby/site_rubyand/usr/lib64/ruby/site_ruby.
- 
						Add the locations from the previous step to your RUBYLIBpath.[ec2-user ~]$export RUBYLIB=$RUBYLIB:/usr/lib/ruby/site_ruby:/usr/lib64/ruby/site_ruby
- 
						Verify your AMI tools installation using the ec2-ami-tools-version command. [ec2-user ~]$ec2-ami-tools-version
 
- 
						
To set up the AMI tools using the .zip file
- 
				Install Ruby and unzip using the package manager for your Linux distribution, such as apt-get. For example: [ec2-user ~]$sudo apt-get update -y && sudo apt-get install -y ruby unzip
- 
				Download the .zip file using a tool such as wget or curl. For example: [ec2-user ~]$wget https://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip
- 
				Unzip the files into a suitable installation directory, such as /usr/local/ec2.[ec2-user ~]$sudo mkdir -p /usr/local/ec2 $ sudo unzip ec2-ami-tools.zip -d /usr/local/ec2Notice that the .zip file contains a folder ec2-ami-tools- x.x.x, wherex.x.xis the version number of the tools (for example,ec2-ami-tools-1.5.7).
- 
				Set the EC2_AMITOOL_HOMEenvironment variable to the installation directory for the tools. For example:[ec2-user ~]$export EC2_AMITOOL_HOME=/usr/local/ec2/ec2-ami-tools-x.x.x
- 
				Add the tools to your PATHenvironment variable. For example:[ec2-user ~]$export PATH=$EC2_AMITOOL_HOME/bin:$PATH
- 
				You can verify your AMI tools installation using the ec2-ami-tools-version command. [ec2-user ~]$ec2-ami-tools-version
Manage signing certificates
Certain commands in the AMI tools require a signing certificate (also known as X.509 certificate). You must create the certificate and then upload it to AWS. For example, you can use a third-party tool such as OpenSSL to create the certificate.
To create a signing certificate
- 
					Install and configure OpenSSL. 
- 
					Create a private key using the openssl genrsacommand and save the output to a.pemfile. We recommend that you create a 2048- or 4096-bit RSA key.openssl genrsa 2048 >private-key.pem
- 
					Generate a certificate using the openssl reqcommand.openssl req -new -x509 -nodes -sha256 -days 365 -keyprivate-key.pem-outform PEM -outcertificate.pem
To upload the certificate to AWS, use the upload-signing-certificate command.
aws iam upload-signing-certificate --user-nameuser-name--certificate-body file://path/to/certificate.pem
To list the certificates for a user, use the list-signing-certificates command:
aws iam list-signing-certificates --user-nameuser-name
To disable or re-enable a signing certificate for a user, use the update-signing-certificate command. The following command disables the certificate:
aws iam update-signing-certificate --certificate-idOFHPLP4ZULTHYPMSYEX7O4BEXAMPLE--statusInactive--user-nameuser-name
To delete a certificate, use the delete-signing-certificate command:
aws iam delete-signing-certificate --user-nameuser-name--certificate-idOFHPLP4ZULTHYPMSYEX7O4BEXAMPLE