diff --git a/api/auth/aws/aws.go b/api/auth/aws/aws.go
index f2aa9be1d0..88a9b38bb7 100644
--- a/api/auth/aws/aws.go
+++ b/api/auth/aws/aws.go
@@ -56,7 +56,7 @@ const (
 // passed as a parameter to the client.Auth().Login method.
 //
 // Supported options: WithRole, WithMountPath, WithIAMAuth, WithEC2Auth,
-// WithPKCS7Signature, WithIdentitySignature, WithIAMServerIDHeader, WithNonce, WithRegion
+// WithPKCS7Signature, WithIdentitySignature, WithRSA2048Signature, WithIAMServerIDHeader, WithNonce, WithRegion
 func NewAWSAuth(opts ...LoginOption) (*AWSAuth, error) {
 	a := &AWSAuth{
 		mountPath:     defaultMountPath,
@@ -262,6 +262,19 @@ func WithPKCS7Signature() LoginOption {
 	}
 }
 
+// WithRSA2048Signature will explicitly tell the client to send the RSA2048
+// signature to verify EC2 auth logins. Only used by EC2 auth type.
+// If this option is not provided, will default to using the PKCS #7 signature.
+// The signature type used should match the type of the public AWS cert Vault
+// has been configured with to verify EC2 instance identity.
+// https://www.vaultproject.io/api/auth/aws#create-certificate-configuration
+func WithRSA2048Signature() LoginOption {
+	return func(a *AWSAuth) error {
+		a.signatureType = rsa2048Type
+		return nil
+	}
+}
+
 func WithIAMServerIDHeader(headerValue string) LoginOption {
 	return func(a *AWSAuth) error {
 		a.iamServerIDHeaderValue = headerValue