Create CI/CD stages to sign, notarize and validate artifacts which are promoted across environments, and pass regulatory and security compliance checks, effectively reducing vectors for security issues.
The project began with a comprehensive assessment of the existing container build and deployment pipelines, focusing on security, compliance requirements, and current approaches to signing and verifying container images across development teams. This evaluation provided a foundation for analyzing the appropriate tools and methodologies needed to integrate AWS Signer into the workflow for automated container signing.
Deployment Strategy: Container images are often built using CI/CD pipelines and published to registries without built-in integrity verification. To ensure provenance and authenticity, automated signing needed to be integrated seamlessly within these pipelines.
Integration with AWS Signer: AWS Signer was chosen as the signing mechanism due to its managed key infrastructure, centralized policy enforcement, and compatibility with Amazon Elastic Container Registry (ECR). The implementation would ensure that all published container images are signed before deployment, reducing the risk of tampering.
Parallel Execution with CI/CD: The signing process was designed to run in parallel with existing security and vulnerability scans, ensuring minimal impact on development velocity. This integration allowed teams to maintain fast release cycles while enforcing security controls.
Centralized Storage and Verification: Signed metadata was stored in AWS Signer and ECR, enabling automated validation before deployment. Additionally, policies were defined to prevent unsigned or untrusted images from being deployed in production.
By integrating AWS Signer for container signing, the client ensured that only notarized (signed and verified) containers could proceed to deployment. This prevented unauthorized actions, such as deploying unapproved or tampered images, significantly reducing the risk of supply chain attacks.
With AWS Signer, each container artifact was cryptographically signed, ensuring proof of origin and authenticity. This provided a verifiable chain of trust, guaranteeing that the integrity of applications was maintained throughout the entire lifecycle. Security and compliance teams could now automate audits and enforce deployment policies, ensuring that only signed and trusted containers reached production.
Read more about the latest and greatest work Rearc has been up to.
This project for a Fortune 500 company strengthened the security of deployed applications by implementing notarization for container artifacts, that can be used to established a chain of trust.
This project for a Fortune 500 company strengthened the security of deployed applications by implementing automated cryptographic cipher scanning, analysis, and reporting, ensuring security compliance while maintaining development velocity.
Rearc performed an application portfolio assessment and designed a migration strategy for Avesis as they moved to a new AWS Organization. Post planning, Rearc leveraged infrastructure as code to deliver a new cloud landing zone in AWS and created an account factory for future growth. Rearc integrated Avesis's new AWS environment with their new Azure environment.
This project for a Fortune 500 company strengthened the security of Databricks-integrated data lake pipelines by implementing automated vulnerability detection, secure credential management, and third-party dependency scanning, resulting in a compliant and resilient infrastructure.
Tell us more about your custom needs.
We’ll get back to you, really fast
Kick-off meeting
