AWS Signer

A service that applies digital signatures to code and container images, verifying signatures at deployment to ensure software supply chain integrity

Overview

AWS Signer is a fully managed code signing service that applies digital signatures to your code artifacts and container images, enabling signature verification at deployment time to ensure that only trusted, unmodified code runs in your environments. It integrates with Lambda for function code signing, ECR for container image signing, and CI/CD pipelines for automated signing workflows, protecting against supply chain attacks and unauthorized code modifications.

Signing Profiles and Signing Job Execution

AWS Signer uses signing profiles to define the signing configuration including the signing platform, signature validity period, and signing algorithm. Each profile is associated with a specific use case (Lambda deployment, container image signing, IoT firmware updates). Signing jobs take an unsigned artifact from S3, apply the digital signature using the profile's configuration, and output the signed artifact. The signing key is managed by AWS and never exposed, eliminating the operational burden of key management. Signing profiles support signature expiration, automatically invalidating signatures after a configured period to enforce regular re-signing and prevent use of stale artifacts. Revocation capabilities allow invalidating specific signing jobs if a compromise is detected, immediately preventing deployment of affected artifacts.

Lambda Code Signing and Deployment Control

Lambda code signing validation ensures that only code signed by trusted signing profiles can be deployed to Lambda functions. A Code Signing Configuration (CSC) specifies which signing profiles are trusted and what action to take on validation failure (warn or enforce). When enforce mode is active, Lambda rejects any deployment package that is not signed by a trusted profile or has an expired/revoked signature. This prevents unauthorized code from running even if an attacker gains deployment permissions. The signing workflow integrates naturally with CI/CD: CodeBuild compiles the code, Signer signs the deployment package, and CodePipeline deploys to Lambda with CSC validation. Untrusted code is blocked at the deployment boundary regardless of how it entered the pipeline. Organizations can mandate code signing across all Lambda functions using SCPs that require CSC attachment.

Container Image Signing and Supply Chain Security

For container workloads, Signer integrates with ECR to sign container images using Notation (an open standard for container signing). Signed images can be verified at deployment time using admission controllers in EKS or ECS task definition validation. This ensures that only images built by your CI/CD pipeline and signed by your organization's signing profile can run in production clusters. The signing workflow fits into existing container CI/CD: build the image, push to ECR, sign with Signer, then deploy with signature verification. Combined with ECR image scanning for vulnerability detection, this creates a comprehensive supply chain security posture. For multi-account architectures, cross-account signing enables a central security account to manage signing profiles while workload accounts consume signed artifacts, maintaining separation of duties.

ShareXB!