Amazon Linux 2023 must ensure cryptographic verification of vendor software packages.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-273995	SRG-OS-000366-GPOS-00153	AZLX-23-000110	SV-273995r1119973_rule	2025-07-15	1

Description
Cryptographic verification of vendor software packages ensures that all software packages are obtained from a valid source and protects against spoofing that could lead to installation of malware on the system. Amazon Linux cryptographically signs all software packages, which includes updates, with a GPG key to Verify they are valid.

ℹ️ Check
Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. List Amazon Linux GPG keys installed on the system: $ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key If there is no Amazon Linux GPG key installed, this is a finding. Extract the fingerprint from the key with this command: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 pub rsa4096/D832C631 2022-12-08 [SC] Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 uid Amazon Linux <amazon-linux@amazon.com> Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html If key fingerprints do not match, or the key file is missing, this is a finding.

ℹ️ Check

Verify Amazon Linux 2023 package-signing keys are installed on the system and verify their fingerprints match vendor values. Note: For Amazon Linux 2023 software packages, AWS uses GPG keys defined in key file "/etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023" by default. List Amazon Linux GPG keys installed on the system: $ sudo rpm -q gpg-pubkey --qf "%{NAME}-%{VERSION}-%{RELEASE} %{SUMMARY}\n" gpg-pubkey-d832c631-6515c85e Amazon Linux <amazon-linux@amazon.com> public key If there is no Amazon Linux GPG key installed, this is a finding. Extract the fingerprint from the key with this command: $ sudo gpg -q --keyid-format short --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-amazon-linux-2023 pub rsa4096/D832C631 2022-12-08 [SC] Key fingerprint = B21C 50FA 44A9 9720 EAA7 2F7F E951 904A D832 C631 uid Amazon Linux <amazon-linux@amazon.com> Compare the Key fingerprint with the key fingerprint from Amazon Documentation and instructions at https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-keys.html If key fingerprints do not match, or the key file is missing, this is a finding.

✔️ Fix
Configure Amazon Linux 2023 to have the public key for verifying RPM packages to be installed with the "system-release" package. Install the system-release installation with the following command: $ sudo dnf install -y system-release Ensure cryptographic verification of software packages is enabled by editing /etc/dnf/dnf.conf and under '[main]' in the configuration file add: gpgcheck=1