Set up code signing for your Amazon SAM application - Amazon Serverless Application Model
ExampleProviding signing profiles with sam deploy --guided
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Set up code signing for your Amazon SAM application

To ensure that only trusted code is deployed, you can use Amazon SAM to enable code signing with your serverless applications. Signing your code helps ensure that code has not been altered since signing and that only signed code packages from trusted publishers run in your Lambda functions. This helps free up organizations from the burden of building gatekeeper components in their deployment pipelines.

For more information about code signing, see Configuring code signing for Lambda functions in the Amazon Lambda Developer Guide.

Before you can configure code signing for your serverless application, you must create a signing profile using Amazon Signer. You use this signing profile for the following tasks:

  1. Creating a code signing configuration – Declare an AWS::Lambda::CodeSigningConfig resource to specify the signing profiles of trusted publishers and to set the policy action for validation checks. You can declare this object in the same Amazon SAM template as your serverless function, in a different Amazon SAM template, or in an Amazon CloudFormation template. You then enable code signing for a serverless function by specify the CodeSigningConfigArn property the function with the Amazon Resource Name (ARN) of an AWS::Lambda::CodeSigningConfig resource.

  2. Signing your code – Use the sam package or sam deploy command with the --signing-profiles option.

Note

In order to successfully sign your code with the sam package or sam deploy commands, versioning must be enabled for the Amazon S3 bucket you use with these commands. If you are using the Amazon S3 Bucket that Amazon SAM creates for you, versioning is enabled automatically. For more information about Amazon S3 bucket versioning and instructions for enabling versioning on an Amazon S3 bucket that you provide, see Using versioning in Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

When you deploy a serverless application, Lambda performs validation checks on all functions that you've enabled code signing for. Lambda also performs validation checks on any layers that those functions depend on. For more information about Lambda's validation checks, see Signature validation in the Amazon Lambda Developer Guide.

Example

Creating a signing profile

To create a signing profile, run the following command:

aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name MySigningProfile

If the previous command is successful, you see the signing profile's ARN returned. For example:

{
    "arn": "arn:aws:signer:us-east-1:111122223333:/signing-profiles/MySigningProfile",
    "profileVersion": "SAMPLEverx",
    "profileVersionArn": "arn:aws:signer:us-east-1:111122223333:/signing-profiles/MySigningProfile/SAMPLEverx"
}

The profileVersionArn field contains the ARN to use when you create the code signing configuration.

Creating a code signing configuration and enabling code signing for a function

The following example Amazon SAM template declares an AWS::Lambda::CodeSigningConfig resource and enables code signing for a Lambda function. In this example, there is one trusted profile, and deployments are rejected if the signature checks fail.

Resources:
  HelloWorld:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: hello_world/
      Handler: app.lambda_handler
      Runtime: python3.7
      CodeSigningConfigArn: !Ref MySignedFunctionCodeSigningConfig

  MySignedFunctionCodeSigningConfig:
    Type: AWS::Lambda::CodeSigningConfig
    Properties:
      Description: "Code Signing for MySignedLambdaFunction"
      AllowedPublishers:
        SigningProfileVersionArns:
          - MySigningProfile-profileVersionArn
      CodeSigningPolicies:
        UntrustedArtifactOnDeployment: "Enforce"

Signing your code

You can sign your code when packaging or deploying your application. Specify the --signing-profiles option with either the sam package or sam deploy command, as shown in the following example commands.

Signing your function code when packaging your application:

sam package --signing-profiles HelloWorld=MySigningProfile --s3-bucket test-bucket --output-template-file packaged.yaml

Signing both your function code and a layer that your function depends on, when packaging your application:

sam package --signing-profiles HelloWorld=MySigningProfile MyLayer=MySigningProfile --s3-bucket test-bucket --output-template-file packaged.yaml

Signing your function code and a layer, then performing a deployment:

sam deploy --signing-profiles HelloWorld=MySigningProfile MyLayer=MySigningProfile --s3-bucket test-bucket --template-file packaged.yaml --stack-name --region us-east-1 --capabilities CAPABILITY_IAM
Note

In order to successfully sign your code with the sam package or sam deploy commands, versioning must be enabled for the Amazon S3 bucket you use with these commands. If you are using the Amazon S3 Bucket that Amazon SAM creates for you, versioning is enabled automatically. For more information about Amazon S3 bucket versioning and instructions for enabling versioning on an Amazon S3 bucket that you provide, see Using versioning in Amazon S3 buckets in the Amazon Simple Storage Service User Guide.

Providing signing profiles with sam deploy --guided

When you run the sam deploy --guided command with a serverless application that's configured with code signing, Amazon SAM prompts you to provide the signing profile to use for code signing. For more information about sam deploy --guided prompts, see sam deploy in the Amazon SAM CLI command reference.