diff --git a/bootstrapper/cmd/bootstrapper/main.go b/bootstrapper/cmd/bootstrapper/main.go
index 8d89ae561..7518e9c36 100644
--- a/bootstrapper/cmd/bootstrapper/main.go
+++ b/bootstrapper/cmd/bootstrapper/main.go
@@ -109,6 +109,7 @@ func main() {
 		)
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
+
 	case cloudprovider.GCP:
 		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.GCPPCRSelection)
 		if err != nil {
@@ -146,6 +147,7 @@ func main() {
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
 		log.Infof("Added load balancer IP to routing table")
+
 	case cloudprovider.Azure:
 		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.AzurePCRSelection)
 		if err != nil {
@@ -179,6 +181,7 @@ func main() {
 
 		openTPM = vtpm.OpenVTPM
 		fs = afero.NewOsFs()
+
 	case cloudprovider.QEMU:
 		pcrs, err := vtpm.GetSelectedPCRs(vtpm.OpenVTPM, vtpm.QEMUPCRSelection)
 		if err != nil {
diff --git a/go.mod b/go.mod
index af344112b..88903d388 100644
--- a/go.mod
+++ b/go.mod
@@ -47,13 +47,14 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
 	github.com/Azure/go-autorest/autorest/to v0.4.0
-	github.com/aws/aws-sdk-go-v2 v1.16.16
+	github.com/aws/aws-sdk-go-v2 v1.17.1
 	github.com/aws/aws-sdk-go-v2/config v1.17.8
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17
 	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3
 	github.com/aws/aws-sdk-go-v2/service/kms v1.18.13
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11
+	github.com/aws/smithy-go v1.13.4
 	github.com/coreos/go-systemd/v22 v22.4.0
 	github.com/docker/docker v20.10.19+incompatible
 	github.com/fsnotify/fsnotify v1.6.0
@@ -132,18 +133,17 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 // indirect
-	github.com/aws/smithy-go v1.13.3 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
diff --git a/go.sum b/go.sum
index 18e5d28e9..b2f1645d6 100644
--- a/go.sum
+++ b/go.sum
@@ -233,9 +233,9 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
-github.com/aws/aws-sdk-go-v2 v1.15.0/go.mod h1:lJYcuZZEHWNIb6ugJjbQY1fykdoobWbOS7kJYb4APoI=
-github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk=
 github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
+github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk=
+github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU=
 github.com/aws/aws-sdk-go-v2/config v1.17.8 h1:b9LGqNnOdg9vR4Q43tBTVWk4J6F+W774MSchvKJsqnE=
@@ -244,27 +244,27 @@ github.com/aws/aws-sdk-go-v2/credentials v1.12.21 h1:4tjlyCD0hRGNQivh5dN8hbP30qQ
 github.com/aws/aws-sdk-go-v2/credentials v1.12.21/go.mod h1:O+4XyAt4e+oBAoIwNUYkRg3CVMscaIJdmZBOcPgJ8D8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 h1:r08j4sbZu/RVi+BNxkBJwPMUYY3P8mgSDuKkZ/ZN1lE=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17/go.mod h1:yIkQcCDYNsZfXpd5UX2Cy+sWA1jPgIhGTw9cOBzfVnQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6/go.mod h1:SSPEdf9spsFgJyhjrXvawfpyzrXHBCUe+2eQ1CjC1Ak=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 h1:s4g/wnzMf+qepSNgTvaQQHNxyMLKSawNhKCPNy++2xY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0/go.mod h1:viTrxhAuejD+LszDahzAE2x40YjYWhMqzHxv2ZiWaME=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 h1:/K482T5A3623WJgWT8w1yRAFK4RzGzEl7y39yhtn9eA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 h1:wj5Rwc05hvUSvKuOF29IYb9QrCLjU+rHAy/x/o0DK2c=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24/go.mod h1:jULHjqqjDlbyTa7pfM7WICATnOv+iOhjletM3N0Xbu8=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14/go.mod h1:AyGgqiKv9ECM6IZeNQtdT8NnMvUb3/2wokeq2Fgryto=
 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20 h1:yPyXdrZaB4SW+pn2CmqyAbhuqGM4Pv4fsMhLOt8cOj8=
 github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.15.20/go.mod h1:p2i2jyYZzFBJeOOQ5ji2k/Yc6IvlQsG/CuHRwEi8whs=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0 h1:0Vbs1G2zV7uvBhMj7o/igTzAg1/roh4ksgIr5oRKFIo=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0/go.mod h1:Z8942YP2VgLQpgPCx06iXCrOt7mxxCe0dESCm9FFhgs=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3 h1:+UHyeFhdPddRB+EkgeaKMutWiqwWrj3FIQUif3VnalM=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 h1:Lh1AShsuIJTwMkoxVCAYPJgNG5H+eN6SmoUn8nOZ5wE=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 h1:BBYoNQt2kUZUUK4bIPsKrCcjVPUMNsgQpNAwhznK/zo=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18/go.mod h1:NS55eQ4YixUJPTC+INxi2/jCqe1y2Uw3rnh9wEOVJxY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.0/go.mod h1:R31ot6BgESRCIoxwfKtIHzZMo/vsZn2un81g9BJ4nmo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 h1:Jrd/oMh0PKQc6+BowB+pLEwLIgaQF29eYbe7E1Av9Ug=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 h1:HfVVR1vItaG6le+Bpw6P4midjBDMKnjMyZnw9MXYUcE=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17/go.mod h1:YqMdV+gEKCQ59NrB7rzrJdALeBIsYiVi8Inj3+KcqHI=
 github.com/aws/aws-sdk-go-v2/service/kms v1.18.13 h1:/qZYGhQ18P1DAjXzmDuBN6yxeWaj45RRpiemB7lircc=
@@ -277,9 +277,9 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 h1:OwhhKc1P9ElfWbMKPIbMMZBV
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6/go.mod h1:csZuQY65DAdFBt1oIjO5hhBR49kQqop4+lcuCjf2arA=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 h1:9pPi0PsFNAGILFfPCk8Y0iyEBGc6lu6OQ97U7hmdesg=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.19/go.mod h1:h4J3oPZQbxLhzGnk+j9dfYHi5qIOVJ5kczZd658/ydM=
-github.com/aws/smithy-go v1.11.1/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
-github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA=
 github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk=
+github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
diff --git a/hack/go.mod b/hack/go.mod
index 628eae5a0..84557f41c 100644
--- a/hack/go.mod
+++ b/hack/go.mod
@@ -74,26 +74,26 @@ require (
 	github.com/ProtonMail/go-crypto v0.0.0-20210428141323-04723f9f07d7 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d // indirect
-	github.com/aws/aws-sdk-go-v2 v1.16.16 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.1 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.17.8 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.12.21 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.18.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.27.11 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.11.23 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 // indirect
-	github.com/aws/smithy-go v1.13.3 // indirect
+	github.com/aws/smithy-go v1.13.4 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e // indirect
diff --git a/hack/go.sum b/hack/go.sum
index 692ec1226..f8d72e9a4 100644
--- a/hack/go.sum
+++ b/hack/go.sum
@@ -209,9 +209,9 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN
 github.com/aws/aws-sdk-go v1.36.30/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
-github.com/aws/aws-sdk-go-v2 v1.15.0/go.mod h1:lJYcuZZEHWNIb6ugJjbQY1fykdoobWbOS7kJYb4APoI=
-github.com/aws/aws-sdk-go-v2 v1.16.16 h1:M1fj4FE2lB4NzRb9Y0xdWsn2P0+2UHVxwKyOa4YJNjk=
 github.com/aws/aws-sdk-go-v2 v1.16.16/go.mod h1:SwiyXi/1zTUZ6KIAmLK5V5ll8SiURNUYOqTerZPaF9k=
+github.com/aws/aws-sdk-go-v2 v1.17.1 h1:02c72fDJr87N8RAC2s3Qu0YuvMRZKNZJ9F+lAehCazk=
+github.com/aws/aws-sdk-go-v2 v1.17.1/go.mod h1:JLnGeGONAyi2lWXI1p0PCIOIy333JMVK1U7Hf0aRFLw=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8 h1:tcFliCWne+zOuUfKNRn8JdFBuWPDuISDH08wD2ULkhk=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.8/go.mod h1:JTnlBSot91steJeti4ryyu/tLd4Sk84O5W22L7O2EQU=
 github.com/aws/aws-sdk-go-v2/config v1.17.8 h1:b9LGqNnOdg9vR4Q43tBTVWk4J6F+W774MSchvKJsqnE=
@@ -220,25 +220,25 @@ github.com/aws/aws-sdk-go-v2/credentials v1.12.21 h1:4tjlyCD0hRGNQivh5dN8hbP30qQ
 github.com/aws/aws-sdk-go-v2/credentials v1.12.21/go.mod h1:O+4XyAt4e+oBAoIwNUYkRg3CVMscaIJdmZBOcPgJ8D8=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17 h1:r08j4sbZu/RVi+BNxkBJwPMUYY3P8mgSDuKkZ/ZN1lE=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.17/go.mod h1:yIkQcCDYNsZfXpd5UX2Cy+sWA1jPgIhGTw9cOBzfVnQ=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.6/go.mod h1:SSPEdf9spsFgJyhjrXvawfpyzrXHBCUe+2eQ1CjC1Ak=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23 h1:s4g/wnzMf+qepSNgTvaQQHNxyMLKSawNhKCPNy++2xY=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.23/go.mod h1:2DFxAQ9pfIRy0imBCJv+vZ2X6RKxves6fbnEuSry6b4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.0/go.mod h1:viTrxhAuejD+LszDahzAE2x40YjYWhMqzHxv2ZiWaME=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17 h1:/K482T5A3623WJgWT8w1yRAFK4RzGzEl7y39yhtn9eA=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.17/go.mod h1:pRwaTYCJemADaqCbUAxltMoHKata7hmB5PjEXeu0kfg=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19 h1:oRHDrwCTVT8ZXi4sr9Ld+EXk7N/KGssOr2ygNeojEhw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.19/go.mod h1:6Q0546uHDp421okhmmGfbxzq2hBqbXFNpi4k+Q1JnQA=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24 h1:wj5Rwc05hvUSvKuOF29IYb9QrCLjU+rHAy/x/o0DK2c=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.24/go.mod h1:jULHjqqjDlbyTa7pfM7WICATnOv+iOhjletM3N0Xbu8=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14 h1:ZSIPAkAsCCjYrhqfw2+lNzWDzxzHXEckFkTePL5RSWQ=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.14/go.mod h1:AyGgqiKv9ECM6IZeNQtdT8NnMvUb3/2wokeq2Fgryto=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0 h1:0Vbs1G2zV7uvBhMj7o/igTzAg1/roh4ksgIr5oRKFIo=
-github.com/aws/aws-sdk-go-v2/service/ec2 v1.32.0/go.mod h1:Z8942YP2VgLQpgPCx06iXCrOt7mxxCe0dESCm9FFhgs=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3 h1:+UHyeFhdPddRB+EkgeaKMutWiqwWrj3FIQUif3VnalM=
+github.com/aws/aws-sdk-go-v2/service/ec2 v1.63.3/go.mod h1:zul71QqzR4D1a90/5FloZiAnZ1CtuIjVH7R9MP997+A=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9 h1:Lh1AShsuIJTwMkoxVCAYPJgNG5H+eN6SmoUn8nOZ5wE=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.9/go.mod h1:a9j48l6yL5XINLHLcOKInjdvknN+vWqPBxqeIDw7ktw=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18 h1:BBYoNQt2kUZUUK4bIPsKrCcjVPUMNsgQpNAwhznK/zo=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.18/go.mod h1:NS55eQ4YixUJPTC+INxi2/jCqe1y2Uw3rnh9wEOVJxY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.0/go.mod h1:R31ot6BgESRCIoxwfKtIHzZMo/vsZn2un81g9BJ4nmo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17 h1:Jrd/oMh0PKQc6+BowB+pLEwLIgaQF29eYbe7E1Av9Ug=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.17/go.mod h1:4nYOrY41Lrbk2170/BGkcJKBhws9Pfn8MG3aGqjjeFI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19 h1:GE25AWCdNUPh9AOJzI9KIJnja7IwUc1WyUqz/JTyJ/I=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.19/go.mod h1:02CP6iuYP+IVnBX5HULVdSAku/85eHB2Y9EsFhrkEwU=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17 h1:HfVVR1vItaG6le+Bpw6P4midjBDMKnjMyZnw9MXYUcE=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.17/go.mod h1:YqMdV+gEKCQ59NrB7rzrJdALeBIsYiVi8Inj3+KcqHI=
 github.com/aws/aws-sdk-go-v2/service/kms v1.18.13 h1:/qZYGhQ18P1DAjXzmDuBN6yxeWaj45RRpiemB7lircc=
@@ -251,9 +251,9 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6 h1:OwhhKc1P9ElfWbMKPIbMMZBV
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.6/go.mod h1:csZuQY65DAdFBt1oIjO5hhBR49kQqop4+lcuCjf2arA=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.19 h1:9pPi0PsFNAGILFfPCk8Y0iyEBGc6lu6OQ97U7hmdesg=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.19/go.mod h1:h4J3oPZQbxLhzGnk+j9dfYHi5qIOVJ5kczZd658/ydM=
-github.com/aws/smithy-go v1.11.1/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
-github.com/aws/smithy-go v1.13.3 h1:l7LYxGuzK6/K+NzJ2mC+VvLUbae0sL3bXU//04MkmnA=
 github.com/aws/smithy-go v1.13.3/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
+github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk=
+github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
 github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM=
diff --git a/internal/attestation/aws/README.md b/internal/attestation/aws/README.md
new file mode 100644
index 000000000..66e28af33
--- /dev/null
+++ b/internal/attestation/aws/README.md
@@ -0,0 +1 @@
+# Amazon Web Services attestation
diff --git a/internal/attestation/aws/issuer.go b/internal/attestation/aws/issuer.go
index 4d56e9a04..56c8d2992 100644
--- a/internal/attestation/aws/issuer.go
+++ b/internal/attestation/aws/issuer.go
@@ -6,12 +6,60 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 package aws
 
-import "github.com/edgelesssys/constellation/v2/internal/oid"
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"io"
+	"log"
 
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
+	"github.com/edgelesssys/constellation/v2/internal/oid"
+
+	"github.com/google/go-tpm-tools/client"
+	tpmclient "github.com/google/go-tpm-tools/client"
+)
+
+// Issuer for AWS TPM attestation.
 type Issuer struct {
 	oid.AWS
+	*vtpm.Issuer
 }
 
-func (i *Issuer) Issue(userData []byte, nonce []byte) ([]byte, error) {
-	panic("aws issuer not implemented")
+func NewIssuer() *Issuer {
+	return &Issuer{
+		Issuer: vtpm.NewIssuer(
+			vtpm.OpenVTPM,
+			getAttestationKey,
+			getInstanceInfo(imds.New(imds.Options{})),
+		),
+	}
+}
+
+// getAttestationKey returns a new attestation key.
+func getAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error) {
+	tpmAk, err := client.AttestationKeyRSA(tpm)
+	if err != nil {
+		log.Fatalf("error creating RSA Endorsement key!")
+		return nil, err
+	}
+
+	return tpmAk, nil
+}
+
+// getInstanceInfo returns information about the current instance using the aws Metadata SDK.
+// The returned bytes will be written into the attestation document.
+func getInstanceInfo(client awsMetaData) func(tpm io.ReadWriteCloser) ([]byte, error) {
+	return func(io.ReadWriteCloser) ([]byte, error) {
+		ec2InstanceIdentityOutput, err := client.GetInstanceIdentityDocument(context.Background(), &imds.GetInstanceIdentityDocumentInput{})
+		if err != nil {
+			return nil, errors.New("unable to fetch instance identity document")
+		}
+		return json.Marshal(ec2InstanceIdentityOutput.InstanceIdentityDocument)
+	}
+}
+
+type awsMetaData interface {
+	GetInstanceIdentityDocument(context.Context, *imds.GetInstanceIdentityDocumentInput, ...func(*imds.Options)) (*imds.GetInstanceIdentityDocumentOutput, error)
 }
diff --git a/internal/attestation/aws/issuer_test.go b/internal/attestation/aws/issuer_test.go
new file mode 100644
index 000000000..2f35d2365
--- /dev/null
+++ b/internal/attestation/aws/issuer_test.go
@@ -0,0 +1,118 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package aws
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/smithy-go/middleware"
+	tpmclient "github.com/google/go-tpm-tools/client"
+	"github.com/google/go-tpm-tools/simulator"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestGetAttestationKey(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+
+	tpm, err := simulator.Get()
+	require.NoError(err)
+	defer tpm.Close()
+
+	// create the attestation ket in RSA format
+	tpmAk, err := tpmclient.AttestationKeyRSA(tpm)
+	assert.NoError(err)
+	assert.NotNil(tpmAk)
+
+	// get the cached, already created key
+	getAk, err := getAttestationKey(tpm)
+	assert.NoError(err)
+	assert.NotNil(getAk)
+
+	// if everything worked fine, tpmAk and getAk are the same key
+	assert.Equal(tpmAk, getAk)
+}
+
+func TestGetInstanceInfo(t *testing.T) {
+	testCases := map[string]struct {
+		client  stubMetadataAPI
+		wantErr bool
+	}{
+		"invalid region": {
+			client: stubMetadataAPI{
+				instanceDoc: imds.InstanceIdentityDocument{
+					Region: "invalid-region",
+				},
+				instanceErr: errors.New("failed"),
+			},
+			wantErr: true,
+		},
+		"valid region": {
+			client: stubMetadataAPI{
+				instanceDoc: imds.InstanceIdentityDocument{
+					Region: "us-east-2",
+				},
+			},
+		},
+		"invalid imageID": {
+			client: stubMetadataAPI{
+				instanceDoc: imds.InstanceIdentityDocument{
+					ImageID: "ami-fail",
+				},
+				instanceErr: errors.New("failed"),
+			},
+			wantErr: true,
+		},
+		"valid imageID": {
+			client: stubMetadataAPI{
+				instanceDoc: imds.InstanceIdentityDocument{
+					ImageID: "ami-09e7c7f5617a47830",
+				},
+			},
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			tpm, err := simulator.Get()
+			assert.NoError(err)
+			defer tpm.Close()
+
+			instanceInfoFunc := getInstanceInfo(&tc.client)
+			assert.NotNil(instanceInfoFunc)
+
+			info, err := instanceInfoFunc(tpm)
+			if tc.wantErr {
+				assert.Error(err)
+				assert.Nil(info)
+			} else {
+				assert.Nil(err)
+				assert.NotNil(info)
+			}
+		})
+	}
+}
+
+type stubMetadataAPI struct {
+	instanceDoc imds.InstanceIdentityDocument
+	instanceErr error
+}
+
+func (c *stubMetadataAPI) GetInstanceIdentityDocument(context.Context, *imds.GetInstanceIdentityDocumentInput, ...func(*imds.Options)) (*imds.GetInstanceIdentityDocumentOutput, error) {
+	output := &imds.InstanceIdentityDocument{}
+
+	return &imds.GetInstanceIdentityDocumentOutput{
+		InstanceIdentityDocument: *output,
+		ResultMetadata:           middleware.Metadata{},
+	}, c.instanceErr
+}
diff --git a/internal/attestation/aws/validator.go b/internal/attestation/aws/validator.go
index 074db252e..4e02e4fbd 100644
--- a/internal/attestation/aws/validator.go
+++ b/internal/attestation/aws/validator.go
@@ -7,13 +7,94 @@ SPDX-License-Identifier: AGPL-3.0-only
 package aws
 
 import (
+	"context"
+	"crypto"
+	"encoding/json"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
 	"github.com/edgelesssys/constellation/v2/internal/oid"
+	"github.com/google/go-tpm/tpm2"
 )
 
+// Validator for AWS TPM attestation.
 type Validator struct {
 	oid.AWS
+	*vtpm.Validator
+	getDescribeClient func(context.Context) (awsMetadataAPI, error)
 }
 
-func (a *Validator) Validate(attDoc []byte, nonce []byte) ([]byte, error) {
-	panic("aws validator not implemented")
+// NewValidator create a new Validator structure and returns it.
+func NewValidator(pcrs map[uint32][]byte, enforcedPCRs []uint32, log vtpm.AttestationLogger) *Validator {
+	v := &Validator{}
+	v.Validator = vtpm.NewValidator(
+		pcrs,
+		enforcedPCRs,
+		getTrustedKey,
+		v.tpmEnabled,
+		vtpm.VerifyPKCS1v15,
+		log,
+	)
+	v.getDescribeClient = getEC2Client
+	return v
+}
+
+// getTrustedKeys return the public area of the provides attestation key.
+// Normally, here the trust of this key should be verified, but currently AWS does not provide this feature.
+func getTrustedKey(akPub []byte, instanceInfo []byte) (crypto.PublicKey, error) {
+	// Copied from https://github.com/edgelesssys/constellation/blob/main/internal/attestation/qemu/validator.go
+	pubArea, err := tpm2.DecodePublic(akPub)
+	if err != nil {
+		return nil, err
+	}
+
+	return pubArea.Key()
+}
+
+// tpmEnabled verifies if the virtual machine has the tpm2.0 feature enabled.
+func (v *Validator) tpmEnabled(attestation vtpm.AttestationDocument) error {
+	// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-nitrotpm-support-on-ami.html
+	// 1. Get the vm's ami (from IdentiTyDocument.imageId)
+	// 2. Check the value of key "TpmSupport": {"Value": "v2.0"}"
+	ctx := context.Background()
+
+	idDocument := imds.InstanceIdentityDocument{}
+	err := json.Unmarshal(attestation.UserData, &idDocument)
+	if err != nil {
+		return err
+	}
+
+	imageID := idDocument.ImageID
+
+	client, err := v.getDescribeClient(ctx)
+	if err != nil {
+		return err
+	}
+	// Currently, there seems to be a problem with retrieving image attributes directly.
+	// Alternatively, parse it from the general output.
+	imageOutput, err := client.DescribeImages(ctx, &ec2.DescribeImagesInput{ImageIds: []string{imageID}})
+	if err != nil {
+		return err
+	}
+
+	if imageOutput.Images[0].TpmSupport == "v2.0" {
+		return nil
+	}
+
+	return fmt.Errorf("iam image %s does not support TPM v2.0", imageID)
+}
+
+func getEC2Client(ctx context.Context) (awsMetadataAPI, error) {
+	client, err := config.LoadDefaultConfig(ctx, config.WithEC2IMDSRegion())
+	if err != nil {
+		return nil, err
+	}
+	return ec2.NewFromConfig(client), nil
+}
+
+type awsMetadataAPI interface {
+	DescribeImages(ctx context.Context, params *ec2.DescribeImagesInput, optFns ...func(*ec2.Options)) (*ec2.DescribeImagesOutput, error)
 }
diff --git a/internal/attestation/aws/validator_test.go b/internal/attestation/aws/validator_test.go
new file mode 100644
index 000000000..8cfc0e6e9
--- /dev/null
+++ b/internal/attestation/aws/validator_test.go
@@ -0,0 +1,136 @@
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package aws
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"testing"
+
+	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
+	"github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/aws/aws-sdk-go-v2/service/ec2/types"
+	"github.com/edgelesssys/constellation/v2/internal/attestation/vtpm"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGeTrustedKey(t *testing.T) {
+	testCases := map[string]struct {
+		attDoc  []byte
+		nonce   []byte
+		wantErr bool
+	}{
+		"nul byte docs": {
+			attDoc:  []byte{0x00, 0x00, 0x00, 0x00},
+			nonce:   []byte{0x00, 0x00, 0x00, 0x00},
+			wantErr: true,
+		},
+		"nil": {
+			attDoc:  nil,
+			nonce:   nil,
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+			out, err := getTrustedKey(tc.attDoc, tc.nonce)
+
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.NoError(err)
+			}
+
+			assert.Nil(out)
+		})
+	}
+}
+
+func TestTpmEnabled(t *testing.T) {
+	idDocNoTPM := imds.InstanceIdentityDocument{
+		ImageID: "ami-tpm-disabled",
+	}
+	userDataNoTPM, _ := json.Marshal(idDocNoTPM)
+	attDocNoTPM := vtpm.AttestationDocument{
+		UserData: userDataNoTPM,
+	}
+
+	idDocTPM := imds.InstanceIdentityDocument{
+		ImageID: "ami-tpm-enabled",
+	}
+	userDataTPM, _ := json.Marshal(idDocTPM)
+	attDocTPM := vtpm.AttestationDocument{
+		UserData: userDataTPM,
+	}
+
+	testCases := map[string]struct {
+		attDoc  vtpm.AttestationDocument
+		awsAPI  awsMetadataAPI
+		wantErr bool
+	}{
+		"ami with tpm": {
+			attDoc: attDocNoTPM,
+			awsAPI: &stubDescribeAPI{describeImagesTPMSupport: "v2.0"},
+		},
+		"ami without tpm": {
+			attDoc:  attDocTPM,
+			awsAPI:  &stubDescribeAPI{describeImagesTPMSupport: "v1.0"},
+			wantErr: true,
+		},
+		"ami undefined": {
+			attDoc:  vtpm.AttestationDocument{},
+			awsAPI:  &stubDescribeAPI{describeImagesErr: errors.New("failed")},
+			wantErr: true,
+		},
+		"invalid json instanceIdentityDocument": {
+			attDoc: vtpm.AttestationDocument{
+				UserData: []byte("{invalid}"),
+			},
+			awsAPI:  &stubDescribeAPI{describeImagesErr: errors.New("failed")},
+			wantErr: true,
+		},
+	}
+
+	for name, tc := range testCases {
+		t.Run(name, func(t *testing.T) {
+			assert := assert.New(t)
+
+			v := Validator{
+				getDescribeClient: func(context.Context) (awsMetadataAPI, error) {
+					return tc.awsAPI, nil
+				},
+			}
+
+			err := v.tpmEnabled(tc.attDoc)
+			if tc.wantErr {
+				assert.Error(err)
+			} else {
+				assert.Nil(err)
+			}
+		})
+	}
+}
+
+type stubDescribeAPI struct {
+	describeImagesErr        error
+	describeImagesTPMSupport string
+}
+
+func (a *stubDescribeAPI) DescribeImages(
+	ctx context.Context, params *ec2.DescribeImagesInput, optFns ...func(*ec2.Options),
+) (*ec2.DescribeImagesOutput, error) {
+	output := &ec2.DescribeImagesOutput{
+		Images: []types.Image{
+			{TpmSupport: types.TpmSupportValues(a.describeImagesTPMSupport)},
+		},
+	}
+
+	return output, a.describeImagesErr
+}
diff --git a/internal/attestation/azure/snp/issuer.go b/internal/attestation/azure/snp/issuer.go
index b289c7eff..3bd8f9bc0 100644
--- a/internal/attestation/azure/snp/issuer.go
+++ b/internal/attestation/azure/snp/issuer.go
@@ -108,7 +108,7 @@ func getInstanceInfo(reportGetter tpmReportGetter, imdsapi imdsAPI) func(tpm io.
 	}
 }
 
-// getAttestationKey reads the attesation key put into the TPM during early boot.
+// getAttestationKey reads the attestation key put into the TPM during early boot.
 func getAttestationKey(tpm io.ReadWriter) (*tpmclient.Key, error) {
 	ak, err := tpmclient.LoadCachedKey(tpm, tpmAkIdx)
 	if err != nil {
diff --git a/internal/attestation/vtpm/attestation.go b/internal/attestation/vtpm/attestation.go
index bc96ba2bf..c79a5a7c6 100644
--- a/internal/attestation/vtpm/attestation.go
+++ b/internal/attestation/vtpm/attestation.go
@@ -24,12 +24,6 @@ import (
 )
 
 var (
-	// AWSPCRSelection are the PCR values verified for AWS Nitro TPM based Constellations.
-	// TODO: determine which PCRs are required.
-	AWSPCRSelection = tpm2.PCRSelection{
-		Hash: tpm2.AlgSHA256,
-		PCRs: []int{},
-	}
 	// AzurePCRSelection are the PCR values verified for Azure Constellations.
 	// PCR[0] is excluded due to changing rarely, but unpredictably.
 	// PCR[6] is excluded due to being different for any 2 VMs. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22%3A157%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2C33%2C400%2C0%5D
@@ -38,10 +32,20 @@ var (
 		Hash: tpm2.AlgSHA256,
 		PCRs: []int{1, 2, 3, 4, 5, 7, 8, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23},
 	}
+
 	// GCPPCRSelection are the PCR values verified for GCP Constellations.
 	// On GCP firmware and other host controlled systems are static. This results in the same PCRs for any 2 VMs using the same image.
 	GCPPCRSelection = tpmClient.FullPcrSel(tpm2.AlgSHA256)
-	// QEMUPCRSelection are the PCR values verified for QEMU based Contellations.
+
+	// AWSPCRSelection are the PCR values verified for AWS based Constellations.
+	// PCR[1] is excluded. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22:157,%22gen%22:0%7D,%7B%22name%22:%22XYZ%22%7D,33,400,0%5D
+	// PCR[10] is excluded since its value is derived from a digest of PCR[0-7]. See: https://sourceforge.net/p/linux-ima/wiki/Home/#ima-measurement-list
+	AWSPCRSelection = tpm2.PCRSelection{
+		Hash: tpm2.AlgSHA256,
+		PCRs: []int{0, 2, 3, 4, 5, 6, 7, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23},
+	}
+
+	// QEMUPCRSelection are the PCR values verified for QEMU based Constellations.
 	// PCR[1] is excluded. See: https://trustedcomputinggroup.org/wp-content/uploads/TCG_PCClient_PFP_r1p05_v23_pub.pdf#%5B%7B%22num%22:157,%22gen%22:0%7D,%7B%22name%22:%22XYZ%22%7D,33,400,0%5D
 	// PCR[10] is excluded since its value is derived from a digest of PCR[0-7]. See: https://sourceforge.net/p/linux-ima/wiki/Home/#ima-measurement-list
 	QEMUPCRSelection = tpm2.PCRSelection{