Join us
AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.
This post will show the concepts related to the AWS Signer service and a brief demo.
AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.
More details: https://docs.aws.amazon.com/it_it/signer/latest/developerguide/Welcome.html
I enjoy working with AWS Signer because it provides an assurance of my code that avoids others tampering with it, but it also brings a bit of confusion when signing packages at first.
This post will show the concepts related to the AWS Signer service and a brief demo.
The IAM user that you will be using must have permissions to the AWS Signer, AWS Lambda, and Amazon S3 Services.
AWS Signer profile is the standard of how you’re going to sign your code.
In the AWS Console, all you must do is provide the profile name and the period for how long each signature that is created through the profile will be valid.
If your AWS Signer profile is just for signing AWS Lambda code, then the AWS Console is available, but for any of the other services, it must be created programmatically (CLI or SDK).
Signing Jobs:
It is the execution in which you sign your AWS Lambda package. For the time being, packages can only be signed from Amazon S3 Buckets.
Prerequisites to Sign packages are the following:
If you’re ready to continue, now I will show you the steps on how to sign a package and upload it to an AWS Lambda function.
Demo — Create Signer Profile:
First, you must sign in to your aws.amazon.com account and access the AWS Signer Service.
You must then access Signing profiles and click the only orange button there.
Fill in the required fields as you please and press another orange button (I will continue to say the colors of the button to see if you’re really paying attention).
And boom! Just like that, you have created your Signing profile.
Now the next step will be signing your desired package.
Demo — Create Signing Job:
Once inside the AWS Signer Service, then you must go to the left-hand side menu and access Signing jobs.
Once inside you’re going to see another orange button (Shocker!!!) which you will click.
There you will define which AWS Signer profile you’re going to use, the Amazon S3 object you’re going to sign, and where in Amazon S3 you’re going to store the Signed package.
Remember Amazon S3 bucket must have versioning enabled.
You must upload the package after enabling versioning (you will not have the Version ID of the Object if its already in the Amazon S3 Bucket beforehand).
Once the package is signed, then a Signing Job ID is generated. If you click on it, then you’re going to see more information about the signed package.
Go to the destination bucket in Amazon S3 and you’ll see the name changed.
Hmmm, the new package name, looks familiar, doesn’t it?
As you can see it grabs the Signing Job ID and it is used to replace the object name (a bit annoying, but understandable).
Now we’re going to configure the Code Signing Configuration (CSC for short) to the AWS Lambda Service to use the AWS Signer profile you just created.
Demo — Add CSC in Lambda Service:
Before starting with AWS Lambda, we must go back to AWS Signer and grab an important value.
Go back to the AWS Signer profile we’ve created; in the details, you’ll see the Versioned profile ARN. That is the value you’ll need when configuring AWS Lambda — CSC.
Of course, you’ll see more information when you create it in your own AWS Account because my AWS Account is very shy (Unlike its owner).
Go to the AWS Lambda Service, and you’ll see a lot of options on the left-hand side menu, but the one we are interested in is the Code Signing Configuration in the Additional resources section which you’ll access.
Once inside guess what?
Another orange button you must click (You’re stuck with my lame jokes until the end).
There is a curious field called Signing validation policy, it is an option you must choose that determines how your AWS Lambda function instance will react to your packages if they aren’t signed.
Warn: Allows you to upload unsigned packages, but you will have to create an alarm in AWS CloudWatch to get notified.
Enforce: AWS Lambda strictly allows you to continue until you upload a signed package with the AWS Signer profile you decide to use.
To continue you must add a description (best practice to do so), a Versioned ARN of the AWS Signer profile mentioned earlier, and the validation policy you desire.
In my case for the validation policy, I’ll choose Enforce.
Then click the Create configuration button(I’ll stop saying the orange button).
Perfect, now for the last step you must configure the CSC in the AWS Lambda instance you create.
Demo — Add CSC in Lambda Instance:
In the AWS Lambda Service go to the left-hand side menu and click Functions.
We’re going to create a simple AWS Lambda function to test our CSC, Click the Create Function button.
Fill in the required fields as you wish and once again click Create Function button.
Great, now we access the function you just created, go to the Configuration tab, and access the Code Signing Configuration option for which you will click the Edit button.
Now you just simply select the CSC you’ve created in the AWS Lambda Service and click Save.
Now it’s the time for testing out (Can’t wait for the adrenaline boost).
I’ll begin testing the AWS Lambda function by uploading a normal unsigned package.
Go back to the Code tab and you’ll a blue message which indicates that you’re no longer allowed to view the code from now on since you’ve configured CSC in the AWS Lambda function instance.
Now AWS Lambda function shows the following when you upload an unsigned package (Pardon the badly edited out information).
Now if you upload the signed package, you will get the success message.
Conclusion
These are the simple, but long steps to signing your AWS Lambda packages.
The following post allows you to sign packages Cross Accounts (If interested in learning more):
Also, the following posts on how to automate signing the packages as they are uploaded to the Amazon S3 bucket (programmatically, of course).
Let me know if you have any comments and hope you find this useful.
Thank you and Gracias!!!
Join other developers and claim your FAUN account now!
Influence
Total Hits
Posts
Only registered users can post comments. Please, login or signup.