Validating AWS Lambda Code Using AWS Signer

Validating AWS Lambda Code Using AWS Signer

Introduction

Arch_AWS-Signer_64@5x.png

The practice of digitally signing source code packages for functions and layers is called Lambda code signing. The goal of code signing is to make sure that only trusted code runs in your functions.

The signer service can be used to verify the integrity of your code. The deployment package will be rejected or accepted if a series of validation checks are not performed.

In this article, you will use the console to set up code signing for a function. The validation checks and policies that can be applied to your code signing configurations are covered in the article.

Configuring an Amazon S3 Bucket to Store Signed Assets

Defining Amazon S3 source and destination buckets is the first step in the code-signing process. The signed package is deposited in the S3 destination bucket after the signer retrieves unsigned packages from the S3 source bucket.

You can simplify this process by using the same bucket to store both signed and unsigned packages.

Kindly watch the below video to configure an Amazon S3 Bucket to Store Signed Assets.

Configuring a Signing Profile and Generate a Signature

Signing profiles are used to sign deployment packages. These profiles can be considered code-signing templates. Signing profiles have a set of instructions known as signing platforms.

A signing profile performs a signing job, which creates a signature and applies it to an unsigned ZIP file. The package can be deployed to a function with code signing enabled after a successful signing job.

To start a signing job, you need to specify a source S3 bucket, a signing profile, and a destination S3 bucket. You will use the versioned S3 bucket you updated in the previous step.

In this step, you will create a signing profile that will be used to sign your deployment packages. You will begin your first signing job when you have a signed deployment package for your function.

Kindly watch the below video to configure a Signing Profile and Generate a Signature.

Configuring Code Signing for AWS Lambda

A code signing configuration can be attached to a function. The allowed signing profiles and the signature validation policy of your function are defined by the code signing configurations. When there is an attempt to deploy an unsigned package, the signature validation policy defines what actions are performed.

There are two actions available.

  • The function package is deployed, but a warning is issued.
  • The deployment function is blocked after a warning is issued.

On new and existing functions, code signing configurations can be enabled. You will deploy a signed function package in this step.

Kindly watch the below video to configure Code Signing for AWS Lambda.

Conclusion

You created an Amazon S3 bucket to store signed assets. A signer signing profile was created. A package signature was created using a signing job. A code signing configuration was created.

Gratitude for perusing my article till the end. I hope you realized something unique today. If you enjoyed this article then please share it with your buddies and if you have suggestions or thoughts to share with me then please write in the comment box.

Follow me and share your thoughts, GitHub LinkedIn Twitter

Did you find this article valuable?

Support Makendran Gunasekaran by becoming a sponsor. Any amount is appreciated!