DEV Community

Cover image for Lambda Code signing
selvakumar palanisamy
selvakumar palanisamy

Posted on

Lambda Code signing

Lambda code signing enforce the integrity of your code and make sure that only trusted developers can deploy code to your AWS Lambda functions.

code signing for Lambda is to protect the deployment stage and give a cryptographically strong hash verification.

image

Admin  User

 1) Create a signing profile in AWS Signer

2) Give access  via IAM for developers to use this profile to
sign their artifacts 

3) Create a code signing configuration (CSC) that specifies
the signing profile  and the signature validation policy
(Warn or reject the deployments that fail the signature
check)

Developer

 1) Use the signing profile to sign the deployment artifact

2) Deploy the signed deployment artifact to a function 
(create/update lambda function)

Code Signing deployment approach

Since code signing service  is the shared service ,the code signing profile and config creation ,assigning the permissions to developers via IAM can be part of common modules.

1) Profile Creation 

aws signer put-signing-profile \
    --profile-name signin_profile \
    --platform AWSLambda-SHA384-ECDSA

2) ADD permission via IAM

aws signer add-profile-permission \
--profile-name signin_profile \
--action signer:StartSigningJob \
--principal arn:aws:iam::XXXXXXXXXXXX:role/lambda-ex \
--statement-id signerstmtid

3 )Create signing config

 aws lambda create-code-signing-config \
--description "lambda config" \
--allowed-publishers SigningProfileVersionArns=arn:aws:signer:ap-southeast-2:XXXXXXXXX:/signing-profiles/signin_profile/XXXXX \
--code-signing-policies "UntrustedArtifactOnDeployment"="Enforce"
Enter fullscreen mode Exit fullscreen mode

 Developers can use the signing profile to sign and deploy the
artifacts

Sign the deployment artifact

aws signer start-signing-job \ 
--source 's3={bucketName=<lambda-bucket>, version=<version-string>, key=main-function.zip}' \
--destination 's3={bucketName=<lambda-bucket>, prefix=signed-}' \
--profile-name signin_profile

## Deploy the Artifact 

aws lambda create-function \
    --function-name "signed-main-function" \
    --runtime "python3.8" \
    --role <lambda-role> \
    --zip-file "fileb://signed-main-function.zip" \
    --handler lambda_function.lambda_handler \ 
    --code-signing-config-arn <code-signing-config-arn>
Enter fullscreen mode Exit fullscreen mode

Top comments (0)