Skip to main content
CUI

STIG Rule - V-273995

Back to STIG Browser

V-273995

SV-273995r1119973_rule

CAT II

Amazon Linux 2023 must ensure cryptographic verification of vendor software packages.

From: Amazon Linux 2023 Security Technical Implementation Guide (V1R3)

Description

<VulnDiscussion>Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check Procedure

Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. List Amazon Linux GPG keys installed on the system: $ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key If there is no Amazon Linux GPG key installed, this is a finding. Extract the fingerprint from the key with this command: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 pub rsa4096/D832C631 2022-12-08 [SC] Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 uid Amazon Linux <amazon-linux@amazon.com> Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html If key fingerprints do not match, or the key file is missing, this is a finding.

Fix Text

Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. Install the system-release installation with the following command: $ sudo dnf install -y system-release Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: gpgcheck=1

CCI Reference

CCI-003992
Created
2026-04-07 20:08:10
Last Updated
2026-04-07 20:08:10
Back to Browse
CUI