AWS AmazonECR documentation change
Summary
Restructured image signing documentation to introduce two methods: managed signing (automatic) and manual signing, removed step-by-step signing instructions, and reorganized content with new sections.
Security assessment
The changes enhance documentation about container image signing (a security feature) but don't address any specific vulnerability. They clarify signing options without evidence of patching a security flaw.
Diff
diff --git a/AmazonECR/latest/userguide/image-signing.md b/AmazonECR/latest/userguide/image-signing.md index 39f2252a0..a709184c3 100644 --- a//AmazonECR/latest/userguide/image-signing.md +++ b//AmazonECR/latest/userguide/image-signing.md @@ -5 +5 @@ -ConsiderationsPrerequisitesConfigure authentication for the Notary clientSigning an imageNext steps +Choose a signing methodConsiderations @@ -7 +7 @@ ConsiderationsPrerequisitesConfigure authentication for the Notary clientSigning -# Signing an image stored in an Amazon ECR private repository +# Sign images in Amazon ECR @@ -9 +9 @@ ConsiderationsPrerequisitesConfigure authentication for the Notary clientSigning -Amazon ECR integrates with AWS Signer to provide a way for you to sign your container images. You can store both your container images and the signatures in your private repositories. +Amazon ECR integrates with AWS Signer to provide two ways for you to sign your container images: _managed signing_ (automatic, recommended) and _manual signing_ (client-side). You can store both your container images and the signatures in your private repositories. @@ -11,18 +11 @@ Amazon ECR integrates with AWS Signer to provide a way for you to sign your cont -## Considerations - -The following should be considered when using Amazon ECR image signing. - - * Signatures stored in your repository count against the service quota for the maximum number of images per repository. For more information, see [Amazon ECR service quotas](./service-quotas.html). - - * When reference artifacts are present in a repository, Amazon ECR lifecycle policies will automatically clean up those artifacts within 24 hours of the deletion of the subject image. - - - - -## Prerequisites - -Before you begin, The following prerequisites must be met. - - * Install and configure the latest version of the AWS CLI. For more information, see [Installing or updating the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) in the _AWS Command Line Interface User Guide_. - - * Install the Notation CLI and the AWS Signer plugin for Notation. For more information, see [Prerequisites for signing container images](https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html) in the _AWS Signer Developer Guide_. +## Choose a signing method @@ -30 +13 @@ Before you begin, The following prerequisites must be met. - * Have a container image stored in an Amazon ECR private repository to sign. For more information, see [Pushing an image to an Amazon ECR private repository](./image-push.html). +Amazon ECR supports two methods for signing container images: @@ -31,0 +15 @@ Before you begin, The following prerequisites must be met. +**Managed signing** (recommended) @@ -33,0 +18 @@ Before you begin, The following prerequisites must be met. +Managed signing automatically generates cryptographic signatures when images are pushed to Amazon ECR. This method simplifies setup. Managed signing is the recommended approach for most users. For more information, see [Managed signing](./managed-signing.html). @@ -35 +20 @@ Before you begin, The following prerequisites must be met. -## Configure authentication for the Notary client +**Manual signing** @@ -37 +21,0 @@ Before you begin, The following prerequisites must be met. -Before you can create a signature using the Notation CLI, you must configure the client so it can authenticate to Amazon ECR. If you have Docker installed on the same host where you install the Notation client, then Notation will reuse the same authentication method you use for the Docker client. The Docker `login` and `logout` commands will allow the Notation `sign` and ` verify` commands to use those same credentials, and you don’t have to separately authenticate Notation. For more information on configuring your Notation client for authentication, see [Authenticate with OCI-compliant registries](https://notaryproject.dev/docs/user-guides/how-to/registry-authentication/) in the Notary Project documentation. @@ -39 +23 @@ Before you can create a signature using the Notation CLI, you must configure the -If you are not using Docker or another tool that uses Docker credentials, then we recommend using the Amazon ECR Docker Credential Helper as your credential store. For more information on how to install and configure the Amazon ECR Credential Helper, see [Amazon ECR Docker Credential Helper](https://github.com/awslabs/amazon-ecr-credential-helper). +Manual signing uses the Notation CLI and AWS Signer plugin to sign images before pushing them to Amazon ECR. This method provides more control over the signing process and is useful when you need to sign images outside of the push workflow or require fine-grained control over signing operations. For more information, see [Manual signing](./image-signing-manual.html). @@ -41,21 +25 @@ If you are not using Docker or another tool that uses Docker credentials, then w -## Signing an image - -The following steps can be used to create the resources necessary to sign a container image and store the signature in an Amazon ECR private repository. Notation signs images using the digest. - -###### To sign an image - - 1. Create an AWS Signer signing profile using the `Notation-OCI-SHA384-ECDSA` signing platform. You can optionally specify a signature validity period using the `--signature-validity-period` parameter. This value may be specified using `DAYS`, `MONTHS`, or `YEARS`. If no validity period is specified, the default value of 135 months is used. - - aws signer put-signing-profile --profile-name ecr_signing_profile --platform-id Notation-OCI-SHA384-ECDSA - -###### Note - -The signing profile name only supports alphanumeric characters and the underscore (`_`). - - 2. Authenticate the Notation client to your default registry. The following example uses the AWS CLI to authenticate the Notation CLI to an Amazon ECR private registry. - - aws ecr get-login-password --region region | notation login --username AWS --password-stdin 111122223333.dkr.ecr.region.amazonaws.com - - 3. Use the Notation CLI to sign the image, specifying the image using the repository name and the SHA digest. This creates the signature and pushes it to the same Amazon ECR private repository that the image being signed is in. - -In the following example, we are signing an image in the `curl` repository with SHA digest `sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE`. +## Considerations @@ -63 +27 @@ In the following example, we are signing an image in the `curl` repository with - notation sign 111122223333.dkr.ecr.region.amazonaws.com/curl@sha256:ca78e5f730f9a789ef8c63bb55275ac12dfb9e8099e6EXAMPLE --plugin "com.amazonaws.signer.notation.plugin" --id "arn:aws:signer:region:111122223333:/signing-profiles/ecrSigningProfileName" +The following should be considered when using Amazon ECR image signing: @@ -64,0 +29 @@ In the following example, we are signing an image in the `curl` repository with + * Signatures stored in your repository count against the service quota for the maximum number of images per repository. Each signature counts as 1 artifact against the images per repository quota. For more information, see [Amazon ECR service quotas](./service-quotas.html). @@ -65,0 +31 @@ In the following example, we are signing an image in the `curl` repository with + * When reference artifacts are present in a repository, Amazon ECR lifecycle policies will automatically clean up those artifacts within 24 hours of the deletion of the subject image. @@ -68 +33,0 @@ In the following example, we are signing an image in the `curl` repository with -## Next steps @@ -70 +34,0 @@ In the following example, we are signing an image in the `curl` repository with -After you sign your container image, you can verify the signature locally. For instructions about verifying an image, see [Verify an image locally after signing](https://docs.aws.amazon.com/signer/latest/developerguide/image-verification.html) in the _AWS Signer Developer Guide_. @@ -78 +42 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Pushing a Helm chart +Installing a Helm chart on an Amazon EKS cluster @@ -80 +44 @@ Pushing a Helm chart -Deleting artifacts +Managed signing