Streamline container image signatures with Amazon ECR managed signing
Containers Blog
This article explains Amazon ECR managed signing, a new feature that automatically signs container images when pushed to ECR repositories, eliminating the need for manual signing infrastructure.
- Amazon ECR automatically signs images using AWS Signer without requiring client-side tooling
- Signatures verify image authenticity and integrity throughout the software supply chain
- AWS Signer manages cryptographic keys, certificates, and lifecycle operations
- Signatures can be validated during deployment using Kubernetes admission controllers or ECS lifecycle hooks
- Article provides step-by-step implementation guide for ECR setup, image pushing, and Lambda-based signature validation
- ECS service lifecycle hooks trigger Lambda functions to validate signatures before deployment (PRE_SCALE_UP)
- Supports both strict enforcement (BLOCK_ON_FAILURE) and audit-only modes (LOG_ON_FAILURE)
- Centralized governance through registry-level signing rules ensures consistent policies across repositories
Amazon ECR managed signing streamlines container image security by automating signature creation and enabling flexible validation strategies for both EKS and ECS deployments.
The AWS News Feed is currently looking for gold sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.
Related articles
2025
2024
2024
2025
The AWS News Feed is currently looking for silver sponsors. If you want to support the AWS community and reach a large audience of AWS professionals, consider sponsoring the AWS News Feed.