Cloud Computing, DevOps

2 Mins Read

Securing Containers with AWS Signer: A Guide to Amazon ECR Image Signing


In the dynamic landscape of containerized applications, ensuring the security and integrity of container images is paramount. This blog explores the use of AWS Signer to enhance container security, focusing on the comprehensive process of signing Amazon Elastic Container Registry (ECR) images. By following this guide, developers can fortify their containerized deployments and establish a robust security framework.


Containerization has revolutionized the deployment of applications, but with this innovation comes the critical need for robust security measures. AWS Signer emerges as a powerful solution to fortify container security, particularly when it comes to signing ECR images. Image signing ensures the integrity and authenticity of container images, mitigating the risks associated with unauthorized alterations during transit or storage.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Understanding the AWS Signer

AWS Signer is a fully managed signing service that simplifies the process of signing container images. It integrates seamlessly with ECR, allowing you to sign and verify images easily in your ECR repositories. AWS Signer uses the Notary project, an open-source container image signing tool, to perform the signing and verification operations. Image signing involves creating a cryptographic signature using a private key and the image’s digest. The signature is then attached to the image, and when the image is deployed, the signature is verified using the corresponding public key. If the verification fails, it indicates that the image has been tampered with and should not be deployed.

Steps to Signing the ECR Images:

To establish an AWS Signer signing profile, employ the Notation-OCI-SHA384-ECDSA signing platform. Optionally, define a signature validity period with the –signature-validity-period parameter, specifying the duration in DAYS, MONTHS, or YEARS. If left unspecified, the default validity period of 135 months will be applied.

Prepare ECR Images:

Ensure that the container images intended for signing are stored in your ECR repository, whether public or private.

Initiate the Signing Process:

Utilize the Notation CLI to sign the image, specifying the image through the repository name and SHA digest. This process generates the signature and seamlessly pushes it to the identical Amazon ECR private repository where the original image is stored.

Verify the Signed Image:

Once the signing process is complete, AWS Signer generates a signed image. Verifying the signature before deployment is imperative, ensuring the image’s integrity and confirming that it has not been altered since signing.

Advantages or Benefits of AWS Signer for ECR Image Signing:

·       Enhanced Security:

Cryptographically, signing ECR images adds an extra layer of security, thwarting unauthorized modifications and ensuring the overall integrity of your containers.

·       Compliance and Auditing:

AWS Signer facilitates compliance efforts by providing a traceable and auditable record of image modifications, aligning with regulatory requirements.

·       Global Deployment Support:

With multi-region signing capabilities, AWS Signer accommodates global deployments, allowing organizations to sign images closer to their deployment locations and optimize performance.

·       Seamless Integration:

The seamless integration of AWS Signer with other AWS services simplifies the incorporation of image signing into existing workflows and infrastructure.


Securing containerized applications with AWS Signer is critical in fortifying the deployment pipeline. By employing the Notation-OCI-SHA384-ECDSA signing platform and following the outlined steps, developers can enhance the security and integrity of their Amazon Elastic Container Registry (ECR) images. AWS Signer’s seamless integration and multi-region signing capabilities offer a robust solution for organizations aiming to safeguard their containerized environments. AWS Signer emerges as a key ally in the evolving container security landscape, from bolstering security to facilitating compliance and enabling global deployment support.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


1. Why is image signing crucial in containerized environments?

ANS: – Image signing ensures the integrity and authenticity of container images, preventing unauthorized modifications during transit or storage. It adds a crucial layer of security to the deployment pipeline.

2. How does AWS Signer enhance compliance efforts?

ANS: – AWS Signer provides a traceable and auditable record of image modifications, aligning with regulatory requirements. This feature simplifies compliance efforts by offering transparency in the container image signing process.

3. What is the significance of the Notation-OCI-SHA384-ECDSA signing platform in AWS Signer?

ANS: – The Notation-OCI-SHA384-ECDSA signing platform establishes a signing profile in AWS Signer. It plays a pivotal role in the cryptographic signing, ensuring a secure and standardized approach.

4. How does AWS Signer support global deployments of containerized applications?

ANS: – AWS Signer’s multi-region signing capabilities enable organizations to sign images closer to their deployment locations, optimizing performance for global deployments and reducing latency.

WRITTEN BY Bhupesh .

Bhupesh is working as a Research Associate at CloudThat. He is passionate about learning and gaining industrial experience in cloud computing technologies like AWS and Azure. Bhupesh is also an excellent communicator and collaborator. He also proactively seeks new challenges and opportunities to learn and grow in his role. His passion for learning and exploring new technologies and his technical expertise make him a valuable member of any team working in the field.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!