AWS Signer Admission Controller for ECS

The AWS Signer Admission Controller for Amazon Elastic Container Service (ECS) is an AWS Lambda-based solution that performs deployment-time verification of container image signatures for ECS workloads. When configured as an ECS lifecycle hook, the admission controller will inspect the signatures of any images deployed to the associated ECS cluster. Depending on how it is configured, it can either prevent untrusted code from being deployed, or it can provide alerts when that happens.

The admission controller uses Notation for signature verification. It is designed to work with image signatures generated by AWS Signer stored in Amazon Elastic Container Registry (ECR). It can be used with other Notation-compatible signatures and registries with additional configuration.

Getting Started

To use the AWS Signer admission controller for ECS, please refer to this blog post: https://aws.amazon.com/blogs/containers/streamline-container-image-signatures-with-amazon-ecr-managed-signing/

Configuration

The admission controller supports configuration through environment variables:

• FAILURE_BEHAVIOR: Sets how the admission controller will respond if one or more image signatures cannot be verified
  • BLOCK_ON_FAILURE: ECS deployment will be blocked on failures
  • LOG_ON_FAILURE: Failures will be logged, but the ECS deployment will be allowed to proceed
• TRUSTED_SIGNING_PROFILES: Comma-separated list of one or more AWS Signer signing profile ARNs
  • This MUST be set unless a custom Notation implementation is provided.
• NOTATION_PATH: Path to custom Notation installation (see “Registry Authentication” below)

Note: The NOTATION_PATH flag is incompatible with the TRUSTED_SIGNING_PROFILES flag. The admission controller will fail to start if it finds conflicting configuration.

Registry Authentication

By default, the admission controller supports verifying images stored in ECR private registries. The admission controller can verify images in any ECR private registry that the Lambda function can access through IAM and network controls.

To verify images stored in non-ECR repositories, you will need to provide a custom Notation installation as an additional layer in the Lambda function.

1. Create a Lambda layer containing your custom Notation installation, including whatever support for registry authentication you need. Note that your trust policy and trust store will need to support AWS Signer-generated signatures as described here (https://docs.aws.amazon.com/signer/latest/developerguide/image-signing-prerequisites.html).
2. Add the Lambda layer to the admission controller function. This will make the files in the layer available under /opt (see Lambda layer documentation).
3. Set the NOTATION_PATH environment variable to the configured location. The admission controller will now use the custom installation instead of any built-in one.

Security Disclosures

To report a potential security issue, please do not create a new Issue in the repository. Instead, please report using the instructions here or email AWS security directly.

License

This project is licensed under the Apache-2.0 License.