DEV Community

Cover image for Lambda Code signing
selvakumar palanisamy
selvakumar palanisamy

Posted on

Lambda Code signing

Lambda code signing enforce the integrity of your code and make sure that only trusted developers can deploy code to your AWS Lambda functions.

code signing for Lambda is to protect the deployment stage and give a cryptographically strong hash verification.

image

Admin  User

 1) Create a signing profile in AWS Signer

2) Give access  via IAM for developers to use this profile to
sign their artifacts 

3) Create a code signing configuration (CSC) that specifies
the signing profile  and the signature validation policy
(Warn or reject the deployments that fail the signature
check)

Developer

 1) Use the signing profile to sign the deployment artifact

2) Deploy the signed deployment artifact to a function 
(create/update lambda function)

Code Signing deployment approach

Since code signing service  is the shared service ,the code signing profile and config creation ,assigning the permissions to developers via IAM can be part of common modules.

1) Profile Creation 

aws signer put-signing-profile \
    --profile-name signin_profile \
    --platform AWSLambda-SHA384-ECDSA

2) ADD permission via IAM

aws signer add-profile-permission \
--profile-name signin_profile \
--action signer:StartSigningJob \
--principal arn:aws:iam::XXXXXXXXXXXX:role/lambda-ex \
--statement-id signerstmtid

3 )Create signing config

 aws lambda create-code-signing-config \
--description "lambda config" \
--allowed-publishers SigningProfileVersionArns=arn:aws:signer:ap-southeast-2:XXXXXXXXX:/signing-profiles/signin_profile/XXXXX \
--code-signing-policies "UntrustedArtifactOnDeployment"="Enforce"
Enter fullscreen mode Exit fullscreen mode

 Developers can use the signing profile to sign and deploy the
artifacts

Sign the deployment artifact 

aws signer start-signing-job \ 
--source 's3={bucketName=<lambda-bucket>, version=<version-string>, key=main-function.zip}' \
--destination 's3={bucketName=<lambda-bucket>, prefix=signed-}' \
--profile-name signin_profile

## Deploy the Artifact 

aws lambda create-function \
    --function-name "signed-main-function" \
    --runtime "python3.8" \
    --role <lambda-role> \
    --zip-file "fileb://signed-main-function.zip" \
    --handler lambda_function.lambda_handler \ 
    --code-signing-config-arn <code-signing-config-arn>
Enter fullscreen mode Exit fullscreen mode

Top comments (0)

Read next

jenueldev profile image

Should You Continue Learn Your Stack or Learn New Tools

Jenuel Oras Ganawed -

conquerym profile image

Go 1.23's Game-Changing unique Package: Supercharge Your Data Deduplication

ym qu -

mukhilpadmanabhan profile image

A Simple Guide to Docker Compose & Multi-Container Applications

Mukhil Padmanabhan -

airton_lirajunior_2ddebd profile image

Desvendando o Atlas: Gerencie Seus Esquemas de Banco de Dados com Estilo🚀

Airton Lira junior -