Posted On: Jun 6, 2023

Today, AWS Signer and Amazon Elastic Container Registry (ECR) launched image signing, a new feature that enables you to sign and verify container images. You can now use Signer, a managed signing service, to validate that only container images you have approved are deployed in your Amazon Elastic Kubernetes Service (EKS) clusters. 

You can use container image signing to help ensure the use of approved images inside your organization, which can help you meet your security and compliance requirements. You can sign and verify container images anytime during the development or deployment phases. You begin by creating a signing profile, a unique AWS Signer identity, to cryptographically sign images in your repository with client-side tools. Signer manages the signing keys, rotates code signing certificates, provides audit logs, and stores the signatures alongside your images. Amazon EKS and Kubernetes customers can choose their preferred admission controllers – like Gatekeeper or Kyverno, or develop their own tooling – to help enforce image verification before deploying images.

For more information about the AWS Regions where Signer is available, see the AWS Region table. Signer is available at no additional cost. To learn more, read the Signer and ECR documentation and launch blog.