Interoperation with other AWS services

AWS Signer is integrated or used with the following AWS services.

AWS Lambda

With AWS Signer, you can digitally sign packages intended for Lambda deployment in your organization, ensuring that only trusted code runs in your Lambda functions. AWS Signer defines a trusted publisher in a signing profile. Authorized developers use the profile to generate certified code packages. AWS Lambda verifies signatures and package integrity when code is deployed.

To sign your code packages before deploying them to AWS Lambda, you can use the AWS Signer console, the Signer CLI the AWS Serverless Application Model (AWS SAM) CLI, or one of the AWS SDKs.

Amazon FreeRTOS and AWS IoT Device Management

You can sign code that you create for IoT devices supported by Amazon FreeRTOS and AWS IoT device management. Code signing for AWS IoT is integrated with AWS Certificate Manager (ACM). To sign code, you import a third-party code-signing certificate with ACM that is used to sign updates in FreeRTOS and AWS IoT Device Management.

Amazon FreeRTOS is a microcontroller operating system based on the FreeRTOS kernel. It includes libraries for connectivity and security. You can build and deploy your embedded applications on top of Amazon FreeRTOS. To ensure the security of deployments to these microcontrollers, Amazon FreeRTOS uses AWS Signer for the initial manufacture of these devices and subsequent over-the-air updates. You can use AWS Signer through the Amazon FreeRTOS console to sign your code images before you deploy them to a microcontroller.

With AWS IoT Device Management, you can manage Internet-connected devices and establish secure, bidirectional communication between them. To do so, AWS IoT Device Management uses AWS Signer to authenticate each device in your IoT environment. You can use AWS Signer through the AWS IoT Device Management console to sign your code images before you deploy them to a microcontroller.

You can sign your firmware images before deploying them to a microcontroller using the FreeRTOS console. To sign your code images before deploying them in an over-the-air (OTA) update, you can use the AWS IoT Device Management console, the AWS CLI, or one of the AWS SDKs.

Amazon Elastic Container Registry (Amazon ECR)

With AWS Signer and the Notation CLI from the Notary  Project, you can sign container images stored in a container registry such as Amazon Elastic Container Registry (Amazon ECR). The signatures are stored in the registry alongside the images, where they are available for verifying image authenticity and integrity.

For more information, see the Amazon Elastic Container Registry User Guide.

Amazon Elastic Kubernetes Service (Amazon EKS)

Amazon EKS and self-managed Kubernetes customers on Amazon EC2 can verify the ownership and integrity of signed images at the time of deployment. For more information, see the Amazon EKS User Guide.

AWS Certificate Manager (ACM)

ACM handles the complexity of creating and managing or importing SSL/TLS certificates. You use ACM to create an ACM certificate or import a third-party certificate that you use for signing. You must have a certificate to sign code. For more information about certificates, see AWS Certificate Manager User Guide.

CloudTrail

You can use AWS CloudTrail to record API calls made to AWS Signer. CloudTrail is an AWS service that simplifies governance, compliance, and risk auditing by providing visibility into actions made in your AWS account. For more information, see the AWS CloudTrail User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

What is AWS Signer?

Supported Regions