AWS, Cloud Computing, DevOps, Kubernetes

2 Mins Read

Securing Containerized Applications with AWS Signer

Voiced by Amazon Polly


In the ever-evolving software development landscape, containerization has emerged as a game-changer, providing scalability, consistency, and portability. Today, AWS Signer and Amazon Elastic Container Registry (ECR) have introduced an innovative feature – image signing. This feature lets you sign and verify container images, ensuring new security and control in your Amazon Elastic Kubernetes Service (EKS) clusters. In this blog post, we’ll explore the significance of this breakthrough, various methods of image signing, and how it seamlessly integrates into the AWS ecosystem.

Purpose of Container Image Signing

The proliferation of containerized applications brings forth the need for robust security measures. Unsigned containers pose a significant risk, opening the door to potential tampering, unauthorized modifications, and the insertion of malicious code. The introduction of AWS Signer and ECR’s image signing feature empowers developers to validate that only approved container images are deployed, meeting stringent security and compliance requirements. By signing container images, developers establish a higher level of trust in the container supply chain, mitigating the risk of deploying compromised applications.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Different Ways of Signing Container Images

  1. Docker Content Trust (DCT):

Docker Content Trust, an extension of Docker, provides a robust solution for signing and verifying container images. It operates by leveraging cryptographic keys, securing images from the point of creation to deployment. The Notary component ensures a secure signing process, assuring users that the images they pull are exactly as the publisher intended.

  1. Open Container Initiative (OCI) Signing:

As a standard for container images, OCI offers a consistent and interoperable way to sign images. The OCI signing process involves cryptographic signatures, providing a secure method for verifying the authenticity of container images. Its compatibility with various container runtimes makes it a versatile choice for developers and organizations aiming for container image signing standardization.

  1. AWS Signer and Amazon ECR Image Signing:

With the introduction of AWS Signer and Amazon ECR image signing, developers now have a streamlined way to sign and verify container images within the AWS ecosystem. To initiate the process, create a signing profile – a unique AWS Signer identity – to sign images in your repository using client-side cryptographical tools. AWS Signer manages the signing keys, rotates code signing certificates, provides audit logs, and stores the signatures alongside your images, ensuring a seamless and secure workflow.

How to Sign Container Images in AWS?

AWS has introduced a simplified and integrated approach to container image signing with AWS Signer and Amazon ECR. Here’s how you can leverage this new feature:

  1. Create a Signing Profile: Initiate the process by creating a signing profile using AWS Signer, establishing a unique identity for cryptographic signing.
  2. Cryptographically Sign Images: Utilize client-side tools to sign images in your Amazon ECR repository, ensuring a secure signing process.
  3. AWS Signer Management: AWS Signer manages signing keys, rotating code signing certificates, and providing comprehensive audit logs for enhanced security.
  4. Image Verification with Admission Controllers: Choose your preferred admission controllers, Gatekeeper or Kyverno, or develop custom tooling to enforce image verification before deploying images in Amazon EKS and Kubernetes environments.


As the digital landscape continues to evolve, ensuring the security of containerized applications becomes paramount. The introduction of AWS Signer and Amazon ECR image signing offers a streamlined and integrated solution, elevating the AWS ecosystem’s security standards.

By adopting best practices and staying informed about evolving security standards, developers and organizations can confidently navigate the containerization journey, knowing that their applications are built on a foundation of trust.

Drop a query if you have any questions regarding AWS Signer and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Is container image signing necessary for all applications?

ANS: – While not mandatory, signing container images is highly recommended for applications with security-critical requirements to ensure the integrity and authenticity of the deployed containers.

2. How often should container images be signed?

ANS: – Ideally, container images should be signed during the build or packaging process, ensuring each deployment uses a signed image. Continuous integration pipelines can be configured to automate this process.

3. Can signed container images be used across different cloud providers?

ANS: – Yes, container image signing is not tied to a specific cloud provider. If standards like OCI signing are used, the signed images can be deployed across different cloud environments.


Deepak S works as a Research Intern at CloudThat. His expertise lies in AWS's services. Deepak is good at haunting new technologies and automobile enthusiasts.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!