AWS Signer — Cross Account pt. 2

Cross Account — AWS Lambda CSC

Cross Account — AWS Lambda CSC

I will show you how to configure your AWS Lambda functions in Account B to reference their package signature with the AWS Signer profile in Account A.

Centralize your Code Signing Configuration for your AWS Lambda functions

In a previous post, I wrote about how to sign your AWS Lambda packages cross-account — it’d be best if you read and implement the steps there before starting this one:

Now I will show you how to configure your AWS Lambda functions in Account B to reference their package signature with the AWS Signer profile in Account A.

This allows to easily manage a single AWS Signer profile instance in a single AWS account for which many AWS accounts can use, instead of creating an AWS Signer profile instance for each AWS account.


Prerequisites

  1. IAM User in Account A must have permissions to AWS Signer and AWS IAM. Also IAM User in Account B must have permissions to AWS Lambda, Amazon S3 and AWS IAM.


AWS Signer Versioned ARN — Account A

This part is pretty simple.

Access the AWS Signer service:

Account A — AWS Signer search result

Account A — AWS Signer search result

In the left-hand menu access Signing profile:

Account A — AWS Signer left-hand menu

Account A — AWS Signer left-hand menu

Access your signing profile instance you’ll be using and save the Versioned profile ARN (It will be used in further steps):

Account A — Versioned profile ARN

Account A — Versioned profile ARN


IAM Role — Account A

You will now create an AWS IAM Role which allows Account B to access AWS Signer profile in Account A.

Go to AWS IAM:

Account A— AWS IAM search result

Account A— AWS IAM search result

Access the left-hand menu, click on Roles, and click the Create role button:

Account A— AWS IAM Role menu

Account A— AWS IAM Role menu

Now you must select the trusted entity, in this case we’re going to choose Another AWS Account and enter the Account B number.

Then click Next:

Account A — Another AWS Account (Trusted Entity)

Account A — Another AWS Account (Trusted Entity)

Click the Create policy button:

Account A— IAM Role Add permissions menu

Account A— IAM Role Add permissions menu

It will open another tab in your browser, once inside that new tab it will prompt to create an AWS IAM policy.

To make it easy click the JSON and you will see the following:

Account A— IAM Policy JSON permissions

Account A— IAM Policy JSON permissions

Delete the default content and you will copy-paste the following JSON:

You must replace the values enclosed in<> with the values mentioned in its description.

                {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "signer:PutSigningProfile",
                "signer:ListSigningJobs",
                "signer:ListSigningPlatforms",
                "signer:ListSigningProfiles",
                "signer:GetSigningPlatform"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor2"
        },
        {
            "Action": "signer:*",
            "Resource": [
                "arn:aws:signer:<region>:<Account A number>:/signing-jobs/*",
                "arn:aws:signer:<region>:<Account A number>:/signing-profiles/<Account A - Signer profile name>"
            ],
            "Effect": "Allow",
            "Sid": "VisualEditor1"
        }
    ]
}
            

Click Next, add a name and description to the AWS IAM Policy, then click Create Policy button.

Account A— Review AWS IAM Policy

Account A— Review AWS IAM Policy

Perfect, now we go back to the tab where we were creating the AWS IAM Role.

You must click on the short refresh button.

Account A— IAM Role Add permissions refresh button

Account A— IAM Role Add permissions refresh button

You must now see the recently created AWS IAM Policy, search for it and select it, and click Next.

Enter the desired AWS IAM Role name and description, then click the Create role button.

Account A — AWS IAM Role review

Account A — AWS IAM Role review

You must have the AWS IAM Role ARN at hand for the next steps (I eliminated many of the info in the picture for security purposes):

Account A— AWS IAM Role ARN

Account A— AWS IAM Role ARN


Create CSC for AWS Lambda — Account B

The AWS Lambda Service has a feature named the Code Signing Configuration (CSC for short) which indicates that you must sign your AWS Lambda packages (Functions and Layers).

Go to AWS Lambda service and on the left-hand side menu, Click Code Signing Configuration in the Additional resources section:

Account B— AWS Lambda: Left-hand side menu

Account B— AWS Lambda: Left-hand side menu

Click Create configuration:

Account A — CSC menu (Lambda Service)

Account A — CSC menu (Lambda Service)

There is a field called Signing validation policy, it is an option you must choose that determines how your AWS Lambda function instance will react to your packages if they aren’t signed.

Warn: Allows you to upload unsigned packages, but you will have to create an alarm in AWS CloudWatch to get notified.
Enforce: AWS Lambda strictly allows you to continue until you upload a signed package with the AWS Signer profile you decide to use.

Account B— CSC validation policy options

Account B— CSC validation policy options

To continue you must add a description (best practice to do so).

In my case for the validation policy, I’ll choose Enforce.

In the Signing profile version ARN field you must include the AWS Signer profile version ARN from the “AWS Signer Versioned ARN — Account A” section .

Then click the Create configuration.

Account B— Create CSC (Lambda Service)

Account B— Create CSC (Lambda Service)


Cross Account IAM Policy — Account B

Before continuing with AWS Lambda, you must first an AWS IAM Policy in Account B which will allow AWS Lambda functions and layers to access AWS Signer profile in Account A.

Go to AWS IAM:

Account B— AWS IAM search result

Account B— AWS IAM search result

Access the left-hand menu, click on Policies, and click the Create Policy button:

Account B— AWS IAM Policy menu

Account B— AWS IAM Policy menu

To make it easy click the JSON and you will see the following:

Account B— IAM Policy JSON permissions

Account B— IAM Policy JSON permissions

Delete the default content and you will copy-paste the following JSON:

You must replace the values enclosed in<> with the values mentioned in its description.

                {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": "<Account A - AWS IAM Role ARN>",
            "Effect": "Allow"
        }
    ]
}
            

Click Next, add a name and description to the AWS IAM Policy, then click Create Policy.

Account B— Review AWS IAM Policy

Account B— Review AWS IAM Policy


Add CSC in AWS Lambda Instance — Account B

In the AWS Lambda Service go to the left-hand side menu and click Functions.

Account B— AWS Lambda: Left-hand side menu

Account B— AWS Lambda: Left-hand side menu

We’re going to create an AWS Lambda function to test our CSC, Click the Create Function button.

Account B — AWS Lambda: Functions main menu

Account B — AWS Lambda: Functions main menu

Fill in the required fields as you wish and once again click Create Function button.

Account B — AWS Lambda: Create function menu

Account B — AWS Lambda: Create function menu

Great, now we access the function you just created, go to the Configuration tab, and access the Code Signing Configuration option for which you will click the Edit button.

Account B— AWS Lambda: CSC configuration (Lambda Instance).

Account B— AWS Lambda: CSC configuration (Lambda Instance).

Now you just simply select the CSC you’ve created in the AWS Lambda Service and click Save.

Account B— AWS Lambda: Choose CSC (Lambda Instance)

Account B— AWS Lambda: Choose CSC (Lambda Instance)

Go back to the Configuration tab, and access the Permissions option for which you will click the Execution Role link.

Account B — AWS Lambda permissions tab

Account B — AWS Lambda permissions tab

This will take you to the AWS Lambda function Role.

On the permissions tab, click Add permissions, then click Attach policies:

Account B — AWS Lambda Execution Role: Policies menu

Account B — AWS Lambda Execution Role: Policies menu

There you will get a list of all the AWS IAM policies, you will select the AWS IAM Policy created in the “Cross Account IAM Policy — Account B” section.

Once attached, then click Attach policies button.

Account B — AWS IAM Attach policies button

Account B — AWS IAM Attach policies button


Test — Account B

Now it’s the time for testing out.

I’ll begin testing AWS Lambda function by uploading a normal unsigned package.

Go back to Code tab and you’ll a blue message which indicates that you’re no longer allowed to view the code from now on since you’ve configured CSC in the AWS Lambda function instance.

Account B — AWS Lambda: Code menu

Account B — AWS Lambda: Code menu

Now AWS Lambda function shows the following when you upload an unsigned package.

Account B — AWS Lambda: Unsigned package upload message

Account B — AWS Lambda: Unsigned package upload message

Now if you upload the signed package, you will get the success message.

AWS Lambda: Signed package upload message

AWS Lambda: Signed package upload message


Conclusion

You are now able to link multiple AWS Lambda functions from different Accounts to a single AWS Signer profile.

Gives you the ease of structuring and maintenance of AWS Signer profiles and signing jobs in a single location.

It has been fun writing this post.

Any questions or comments, please let me know.

Hope you a nice day, Thank you and Gracias!!!


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies and get more readers

Join other developers and claim your FAUN account now!

Avatar

Jean Velez Torres

Cloud Solutions Architect, Evertec, Inc.

@jeanvelez2
Hello Everyone! I'm Jean Velez, Cloud Solutions architect from Puerto Rico who wants to start out blogging. Always loved to teach others (not the best teacher, but still enjoy it). Works with AWS and Azure, and also a python enthusiast.
Stats
35

Influence

2k

Total Hits

8

Posts