Verify whether an Amazon EC2 instance is enabled for UEFI Secure Boot

You can use the following procedures to determine whether an Amazon EC2 is enabled for UEFI Secure Boot.

You can use the mokutil utility to verify whether a Linux instance is enabled for UEFI Secure Boot. If mokutil is not installed on your instance, you must install it. For the installation instructions for Amazon Linux 2, see Find and install software packages on an Amazon Linux 2 instance. For other Linux distributions, see their specific documentation.

To verify whether a Linux instance is enabled for UEFI Secure Boot

Connect to your instance and run the following command as root in a terminal window.


mokutil --sb-state

The following is example output.

If UEFI Secure Boot is enabled, the output contains SecureBoot enabled.
If UEFI Secure Boot is not enabled, the output contains SecureBoot disabled or Failed to read SecureBoot.

To verify whether a Windows instance is enabled for UEFI Secure Boot

Connect to your instance.
Open the msinfo32 tool.
Check the Secure Boot State field. If UEFI Secure Boot is enabled, the value is Supported, as shown in the following image.

You can also use the Windows PowerShell Cmdlet Confirm-SecureBootUEFI to check the the Secure Boot status. For more information about the cmdlet, see Confirm-SecureBootUEFI in the Microsoft Documentation.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Launch an instance with UEFI Secure Boot

Create a Linux AMI with custom keys