Configuring code signing for Amazon Lambda
Code signing for Amazon Lambda helps to ensure that only trusted code runs in your Lambda functions. When you enable code signing for a function, Lambda checks every code deployment and verifies that the code package is signed by a trusted source.
Note
Functions defined as container images do not support code signing.
To verify code integrity, use Amazon Signer to create digitally signed code packages for functions and layers. When a user attempts to deploy a code package, Lambda performs validation checks on the code package before accepting the deployment. Because code signing validation checks run at deployment time, there is no performance impact on function execution.
You also use Amazon Signer to create signing profiles. You use a signing profile to create the signed code package. Use Amazon Identity and Access Management (IAM) to control who can sign code packages and create signing profiles. For more information, see Authentication and Access Control in the Amazon Signer Developer Guide.
To enable code signing for a function, you create a code signing configuration and attach it to the function. A code signing configuration defines a list of allowed signing profiles and the policy action to take if any of the validation checks fail.
Lambda layers follow the same signed code package format as function code packages. When you add a layer to a function that has code signing enabled, Lambda checks that the layer is signed by an allowed signing profile. When you enable code signing for a function, all layers that are added to the function must also be signed by one of the allowed signing profiles.
Use IAM to control who can create code signing configurations. Typically, you allow only specific administrative users to have this ability. Additionally, you can set up IAM policies to enforce that developers only create functions that have code signing enabled.
You can configure code signing to log changes to Amazon CloudTrail. Successful and blocked deployments to functions are logged to CloudTrail with information about the signature and validation checks.
You can configure code signing for your functions using the Lambda console, the Amazon Command Line Interface (Amazon CLI), Amazon CloudFormation, and the Amazon Serverless Application Model (Amazon SAM).
There is no additional charge for using Amazon Signer or code signing for Amazon Lambda.
Sections
Signature validation
Lambda performs the following validation checks when you deploy a signed code package to your function:
-
Integrity – Validates that the code package has not been modified since it was signed. Lambda compares the hash of the package with the hash from the signature.
-
Expiry – Validates that the signature of the code package has not expired.
-
Mismatch – Validates that the code package is signed with one of the allowed signing profiles for the Lambda function. A mismatch also occurs if a signature is not present.
-
Revocation – Validates that the signature of the code package has not been revoked.
The signature validation policy defined in the code signing configuration determines which of the following actions Lambda takes if any of the validation checks fail:
-
Warn – Lambda allows the deployment of the code package, but issues a warning. Lambda issues a new Amazon CloudWatch metric and also stores the warning in the CloudTrail log.
-
Enforce – Lambda issues a warning (the same as for the Warn action) and blocks the deployment of the code package.
You can configure the policy for the expiry, mismatch, and revocation validation checks. Note that you cannot configure a policy for the integrity check. If the integrity check fails, Lambda blocks deployment.
Configuration prerequisites
Before you can configure code signing for a Lambda function, use Amazon Signer to do the following:
-
Create one or more signing profiles.
-
Use a signing profile to create a signed code package for your function.
For more information, see Creating Signing Profiles (Console) in the Amazon Signer Developer Guide.
Creating code signing configurations
A code signing configuration defines a list of allowed signing profiles and the signature validation policy.
To create a code signing configuration (console)
-
Open the Code signing configurations page
of the Lambda console. -
Choose Create configuration.
-
For Description, enter a descriptive name for the configuration.
-
Under Signing profiles, add up to 20 signing profiles to the configuration.
-
For Signing profile version ARN, choose a profile version's Amazon Resource Name (ARN), or enter the ARN.
-
To add an additional signing profile, choose Add signing profiles.
-
-
Under Signature validation policy, choose Warn or Enforce.
-
Choose Create configuration.
Updating a code signing configuration
When you update a code signing configuration, the changes impact the future deployments of functions that have the code signing configuration attached.
To update a code signing configuration (console)
-
Open the Code signing configurations page
of the Lambda console. -
Select a code signing configuration to update, and then choose Edit.
-
For Description, enter a descriptive name for the configuration.
-
Under Signing profiles, add up to 20 signing profiles to the configuration.
-
For Signing profile version ARN, choose a profile version's Amazon Resource Name (ARN), or enter the ARN.
-
To add an additional signing profile, choose Add signing profiles.
-
-
Under Signature validation policy, choose Warn or Enforce.
-
Choose Save changes.
Deleting a code signing configuration
You can delete a code signing configuration only if no functions are using it.
To delete a code signing configuration (console)
-
Open the Code signing configurations page
of the Lambda console. -
Select a code signing configuration to delete, and then choose Delete.
-
To confirm, choose Delete again.
Enabling code signing for a function
To enable code signing for a function, you associate a code signing configuration with the function.
To associate a code signing configuration with a function (console)
Open the Functions page
of the Lambda console. -
Choose the function for which you want to enable code signing.
-
Open the Configuration tab.
-
Scroll down and choose Code signing.
-
Choose Edit.
-
In Edit code signing, choose a code signing configuration for this function.
-
Choose Save.
Configuring IAM policies
To grant permission for a user to access the code signing API operations, attach one or more policy statements to the user policy. For more information about user policies, see Working with identity-based IAM policies in Lambda.
The following example policy statement grants permission to create, update, and retrieve code signing configurations.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lambda:CreateCodeSigningConfig", "lambda:UpdateCodeSigningConfig", "lambda:GetCodeSigningConfig" ], "Resource": "*" } ] }
Administrators can use the CodeSigningConfigArn condition key to specify the code signing
configurations that developers must use to create or update your functions.
The following example policy statement grants permission to create a function. The policy statement includes a
lambda:CodeSigningConfigArn condition to specify the allowed code signing configuration. Lambda
blocks any CreateFunction API request if its CodeSigningConfigArn parameter is missing
or does not match the value in the condition.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowReferencingCodeSigningConfig", "Effect": "Allow", "Action": [ "lambda:CreateFunction", ], "Resource": "*", "Condition": { "StringEquals": { "lambda:CodeSigningConfigArn": “arn:aws-cn:lambda:us-west-2:123456789012:code-signing-config:csc-0d4518bd353a0a7c6” } } } ] }
Configuring code signing with the Lambda API
To manage code signing configurations with the Amazon CLI or Amazon SDK, use the following API operations:
To manage the code signing configuration for a function, use the following API operations: