Challenge
Create CI/CD stages to sign, notarize and validate artifacts which are promoted across environments, and pass regulatory and
security compliance checks, effectively reducing vectors for security issues.
Solution
The project began with a comprehensive assessment of the existing container build and deployment pipelines, focusing on security,
compliance requirements, and current approaches to signing and verifying container images across development teams.
This evaluation provided a foundation for analyzing the appropriate tools and methodologies needed to integrate AWS Signer
into the workflow for automated container signing.
Deployment Strategy: Container images are often built using CI/CD pipelines and published to registries without
built-in integrity verification. To ensure provenance and authenticity, automated signing needed to be integrated
seamlessly within these pipelines.
Integration with AWS Signer: AWS Signer was chosen as the signing mechanism due to its managed key infrastructure,
centralized policy enforcement, and compatibility with Amazon Elastic Container Registry (ECR).
The implementation would ensure that all published container images are signed before deployment, reducing the risk of tampering.
Parallel Execution with CI/CD: The signing process was designed to run in parallel with existing security and
vulnerability scans, ensuring minimal impact on development velocity. This integration allowed teams to maintain
fast release cycles while enforcing security controls.
Centralized Storage and Verification: Signed metadata was stored in AWS Signer and ECR, enabling automated validation
before deployment. Additionally, policies were defined to prevent unsigned or untrusted images from being deployed in production.
Outcome
By integrating AWS Signer for container signing, the client ensured that only notarized (signed and verified)
containers could proceed to deployment. This prevented unauthorized actions, such as deploying unapproved or
tampered images, significantly reducing the risk of supply chain attacks.
With AWS Signer, each container artifact was cryptographically signed, ensuring proof of origin and authenticity.
This provided a verifiable chain of trust, guaranteeing that the integrity of applications was maintained throughout
the entire lifecycle. Security and compliance teams could now automate audits and enforce deployment policies,
ensuring that only signed and trusted containers reached production.