Lambda code signing enforce the integrity of your code and make sure that only trusted developers can deploy code to your AWS Lambda functions.
code signing for Lambda is to protect the deployment stage and give a cryptographically strong hash verification.
Admin User
1) Create a signing profile in AWS Signer
2) Give access via IAM for developers to use this profile to
sign their artifacts
3) Create a code signing configuration (CSC) that specifies
the signing profile and the signature validation policy
(Warn or reject the deployments that fail the signature
check)
Developer
1) Use the signing profile to sign the deployment artifact
2) Deploy the signed deployment artifact to a function
(create/update lambda function)
Code Signing deployment approach
Since code signing service is the shared service ,the code signing profile and config creation ,assigning the permissions to developers via IAM can be part of common modules.
1) Profile Creation
aws signer put-signing-profile \
--profile-name signin_profile \
--platform AWSLambda-SHA384-ECDSA
2) ADD permission via IAM
aws signer add-profile-permission \
--profile-name signin_profile \
--action signer:StartSigningJob \
--principal arn:aws:iam::XXXXXXXXXXXX:role/lambda-ex \
--statement-id signerstmtid
3 )Create signing config
aws lambda create-code-signing-config \
--description "lambda config" \
--allowed-publishers SigningProfileVersionArns=arn:aws:signer:ap-southeast-2:XXXXXXXXX:/signing-profiles/signin_profile/XXXXX \
--code-signing-policies "UntrustedArtifactOnDeployment"="Enforce"
Developers can use the signing profile to sign and deploy the
artifacts
Sign the deployment artifact
aws signer start-signing-job \
--source 's3={bucketName=<lambda-bucket>, version=<version-string>, key=main-function.zip}' \
--destination 's3={bucketName=<lambda-bucket>, prefix=signed-}' \
--profile-name signin_profile
## Deploy the Artifact
aws lambda create-function \
--function-name "signed-main-function" \
--runtime "python3.8" \
--role <lambda-role> \
--zip-file "fileb://signed-main-function.zip" \
--handler lambda_function.lambda_handler \
--code-signing-config-arn <code-signing-config-arn>
Top comments (0)