What is AWS Signer? - AWS Signer
Interoperation with other AWS servicesSupported RegionsQuotas for SignerPricing for Signer

What is AWS Signer?

AWS Signer is a fully managed code-signing service to ensure the trust and integrity of your code. Organizations validate code against a digital signature to confirm that the code is unaltered and from a trusted publisher. With AWS Signer, your security administrators have a single place to define your signing environment, including what AWS Identity and Access Management (IAM) role can sign code and in what Regions. AWS Signer manages the code-signing certificate's public and private keys, and enables central management of the code-signing lifecycle. Integration with AWS CloudTrail helps you track who is generating code signatures and to meet your compliance requirements.

For information about AWS services that Signer supports, see Interoperation with other AWS services.

For information about the AWS Signer API, see the AWS Signer API Reference.

Interoperation with other AWS services

AWS Signer is integrated or used with the following AWS services.

AWS Lambda

With AWS Signer, you can digitally sign packages intended for Lambda deployment in your organization, ensuring that only trusted code runs in your Lambda functions. AWS Signer defines a trusted publisher in a signing profile. Authorized developers use the profile to generate certified code packages. AWS Lambda verifies signatures and package integrity when code is deployed.

To sign your code packages before deploying them to AWS Lambda, you can use the AWS Signer console, the Signer CLI the AWS Serverless Application Model (AWS SAM) CLI, or one of the AWS SDKs.

Amazon FreeRTOS and AWS IoT Device Management

You can sign code that you create for IoT devices supported by Amazon FreeRTOS and AWS IoT device management. Code signing for AWS IoT is integrated with AWS Certificate Manager (ACM). To sign code, you import a third-party code-signing certificate into ACM that is used to sign updates in FreeRTOS and AWS IoT Device Management.

Amazon FreeRTOS is a microcontroller operating system based on the FreeRTOS kernel. It includes libraries for connectivity and security. You can build and deploy your embedded applications on top of Amazon FreeRTOS. To ensure the security of deployments to these microcontrollers, Amazon FreeRTOS uses AWS Signer for the initial manufacture of these devices and subsequent over-the-air updates. You can use AWS Signer through the Amazon FreeRTOS console to sign your code images before you deploy them to a microcontroller.

With AWS IoT Device Management, you can manage Internet-connected devices and establish secure, bidirectional communication between them. To do so, AWS IoT Device Management uses AWS Signer to authenticate each device in your IoT environment. You can use AWS Signer through the AWS IoT Device Management console to sign your code images before you deploy them to a microcontroller.

You can sign your firmware images before deploying them to a microcontroller using the FreeRTOS console. To sign your code images before deploying them in an over-the-air (OTA) update, you can use the AWS IoT Device Management console, the AWS CLI, or one of the AWS SDKs.

Amazon Elastic Container Registry (Amazon ECR)

With AWS Signer and the Notation CLI from the Notary
 Project, you can sign container images stored in a container registry such as Amazon Elastic Container Registry (Amazon ECR). The signatures are stored in the registry alongside the images, where they are available for verifying image authenticity and integrity.

For more information, see the Amazon Elastic Container Registry User Guide.

Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon EKS and self-managed Kubernetes customers on Amazon EC2 can verify the ownership and integrity of signed images at the time of deployment. For more information, see the Amazon EKS User Guide.

AWS Certificate Manager (ACM)

ACM handles the complexity of creating and managing or importing SSL/TLS certificates. You use ACM to create an ACM certificate or import a third-party certificate that you use for signing. You must have a certificate to sign code. For more information about certificates, see AWS Certificate Manager User Guide.

CloudTrail

You can use AWS CloudTrail to record API calls made to AWS Signer. CloudTrail is an AWS service that simplifies governance, compliance, and risk auditing by providing visibility into actions made in your AWS account. For more information, see the AWS CloudTrail User Guide.

Supported Regions

Visit AWS Signer endpoints and quotas to see an up-to-date list of supported Regions.

Quotas for Signer

AWS Signer sets per-second quotas on the allowed rate at which you can call API actions. Each API's quota is specific to an AWS account and Region. If the number of requests for an API exceeds its quota, AWS Signer rejects an otherwise valid request, returning a ThrottlingException error. AWS Signer does not offer a minimum request rate for APIs.

To view your quotas and see which ones can be adjusted, see the AWS Signer quotas table in the AWS General Reference Guide.

You can also view and adjust quotas using the Service Quotas console.

To see an up-to-date list of your AWS Signer quotas

  1. Log in to your AWS account.

  2. Open the Service Quotas console at https://console.aws.amazon.com/servicequotas/.

  3. In the AWS services list, enter signer into the search box, and choose AWS Signer. Each quota in the Service quotas list shows your currently applied quota value, the default quota value, and whether the quota is adjustable. Choose the name of a quota for more information about it.

To request a quota increase

  1. In the Service quotas list, choose the radio button for an adjustable quota.

  2. Choose the Request quota increase button.

  3. Complete and submit the Request quota increase form.

Pricing for Signer

There is no additional charge to use AWS Signer with AWS IoT Device Management, AWS Lambda, Amazon ECR, Amazon EKS, or third-party container services. Refer to the pricing for the related services for other charges that you may incur. For example, if you use Signer with Lambda, you pay for the storage of signed and unsigned objects (such as your Lambda zip-file archives) in Amazon S3.