diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go
index 974786a2a..6f49198ea 100644
--- a/bootstrapper/cmd/bootstrapper/main.go
+++ b/bootstrapper/cmd/bootstrapper/main.go
@@ -91,7 +91,7 @@ func main() {
 			log.With(zap.Error(err)).Fatalf("Failed to marshal PCRs")
 		}
 
-		issuer = initserver.NewIssuerWrapper(&aws.Issuer{}, vmtype.Unknown, nil)
+		issuer = initserver.NewIssuerWrapper(aws.NewIssuer(), vmtype.Unknown, nil)
 
 		metadata, err := awscloud.New(ctx)
 		if err != nil {
diff --git a/cli/internal/cloudcmd/validators.go b/cli/internal/cloudcmd/validators.go
index 20c20acf0..86785393e 100644
--- a/cli/internal/cloudcmd/validators.go
+++ b/cli/internal/cloudcmd/validators.go
@@ -14,6 +14,7 @@ import (
 	"fmt"
 
 	"github.com/edgelesssys/constellation/v2/internal/atls"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/aws"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/snp"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/azure/trustedlaunch"
 	"github.com/edgelesssys/constellation/v2/internal/attestation/gcp"
@@ -34,28 +35,24 @@ type Validator struct {
 	validator          atls.Validator
 }
 
-func NewValidator(provider cloudprovider.Provider, config *config.Config) (*Validator, error) {
+func NewValidator(provider cloudprovider.Provider, conf *config.Config) (*Validator, error) {
 	v := Validator{}
-	if provider == cloudprovider.AWS {
-		// TODO: Implement AWS validator
-		return nil, errors.New("no validator for AWS available yet")
-	}
 	if provider == cloudprovider.Unknown {
 		return nil, errors.New("unknown cloud provider")
 	}
 	v.provider = provider
-	if err := v.setPCRs(config); err != nil {
+	if err := v.setPCRs(conf); err != nil {
 		return nil, err
 	}
 
 	if v.provider == cloudprovider.Azure {
-		v.azureCVM = *config.Provider.Azure.ConfidentialVM
+		v.azureCVM = *conf.Provider.Azure.ConfidentialVM
 		if v.azureCVM {
-			idkeydigest, err := hex.DecodeString(config.Provider.Azure.IDKeyDigest)
+			idkeydigest, err := hex.DecodeString(conf.Provider.Azure.IDKeyDigest)
 			if err != nil {
 				return nil, fmt.Errorf("bad config: decoding idkeydigest from config: %w", err)
 			}
-			v.enforceIDKeyDigest = *config.Provider.Azure.EnforceIDKeyDigest
+			v.enforceIDKeyDigest = *conf.Provider.Azure.EnforceIDKeyDigest
 			v.idkeydigest = idkeydigest
 		}
 	}
@@ -162,6 +159,8 @@ func (v *Validator) updateValidator(cmd *cobra.Command) {
 		} else {
 			v.validator = trustedlaunch.NewValidator(v.pcrs, v.enforcedPCRs, log)
 		}
+	case cloudprovider.AWS:
+		v.validator = aws.NewValidator(v.pcrs, v.enforcedPCRs, log)
 	case cloudprovider.QEMU:
 		v.validator = qemu.NewValidator(v.pcrs, v.enforcedPCRs, log)
 	}
diff --git a/cli/internal/cmd/init.go b/cli/internal/cmd/init.go
index c48311ff0..edecdacd0 100644
--- a/cli/internal/cmd/init.go
+++ b/cli/internal/cmd/init.go
@@ -231,6 +231,8 @@ func writeRow(wr io.Writer, col1 string, col2 string) {
 
 func getEnforcedPCRs(provider cloudprovider.Provider, config *config.Config) []uint32 {
 	switch provider {
+	case cloudprovider.AWS:
+		return config.Provider.AWS.EnforcedMeasurements
 	case cloudprovider.Azure:
 		return config.Provider.Azure.EnforcedMeasurements
 	case cloudprovider.GCP: