Join us

Sign your AWS Lambda packages

Photo by Unsplash

AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.

This post will show the concepts related to the AWS Signer service and a brief demo.

Keeps the integrity of your AWS Lambda code intact

AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.

More details: https://docs.aws.amazon.com/it_it/signer/latest/developerguide/Welcome.html

I enjoy working with AWS Signer because it provides an assurance of my code that avoids others tampering with it, but it also brings a bit of confusion when signing packages at first.

This post will show the concepts related to the AWS Signer service and a brief demo.


Prerequisites:

The IAM user that you will be using must have permissions to the AWS Signer, AWS Lambda, and Amazon S3 Services.


Signer Profiles:

AWS Signer profile is the standard of how you’re going to sign your code.

In the AWS Console, all you must do is provide the profile name and the period for how long each signature that is created through the profile will be valid.

AWS Signer: Create Signing profile

If your AWS Signer profile is just for signing AWS Lambda code, then the AWS Console is available, but for any of the other services, it must be created programmatically (CLI or SDK).

Signing Jobs:

It is the execution in which you sign your AWS Lambda package. For the time being, packages can only be signed from Amazon S3 Buckets.

Prerequisites to Sign packages are the following:

  1. Amazon S3 Bucket must have versioning enabled. AWS Signer requires you to provide the Version ID of the Amazon S3 Object you wish to sign.
  2. Packages for your AWS Lambda functions and AWS Lambda layers must be compressed in zip format.

If you’re ready to continue, now I will show you the steps on how to sign a package and upload it to an AWS Lambda function.


Demo — Create Signer Profile:

First, you must sign in to your aws.amazon.com account and access the AWS Signer Service.

AWS Signer: Search results

You must then access Signing profiles and click the only orange button there.

AWS Signer: Signing profile main menu

Fill in the required fields as you please and press another orange button (I will continue to say the colors of the button to see if you’re really paying attention).

AWS Signer: Create Signing profile

And boom! Just like that, you have created your Signing profile.

Now the next step will be signing your desired package.


Demo — Create Signing Job:

Once inside the AWS Signer Service, then you must go to the left-hand side menu and access Signing jobs.

AWS Signer: Left-hand side menu

Once inside you’re going to see another orange button (Shocker!!!) which you will click.

AWS Signer — Signing Jobs main menu

There you will define which AWS Signer profile you’re going to use, the Amazon S3 object you’re going to sign, and where in Amazon S3 you’re going to store the Signed package.

Remember Amazon S3 bucket must have versioning enabled.
You must upload the package after enabling versioning (you will not have the Version ID of the Object if its already in the Amazon S3 Bucket beforehand).

AWS Signer: Start Signing Job

Once the package is signed, then a Signing Job ID is generated. If you click on it, then you’re going to see more information about the signed package.

AWS Signer: Signing Job details

Go to the destination bucket in Amazon S3 and you’ll see the name changed.

Amazon S3 Bucket : Signed Lambda package

Hmmm, the new package name, looks familiar, doesn’t it?

As you can see it grabs the Signing Job ID and it is used to replace the object name (a bit annoying, but understandable).

Now we’re going to configure the Code Signing Configuration (CSC for short) to the AWS Lambda Service to use the AWS Signer profile you just created.


Demo — Add CSC in Lambda Service:

Before starting with AWS Lambda, we must go back to AWS Signer and grab an important value.

Go back to the AWS Signer profile we’ve created; in the details, you’ll see the Versioned profile ARN. That is the value you’ll need when configuring AWS Lambda — CSC.

Of course, you’ll see more information when you create it in your own AWS Account because my AWS Account is very shy (Unlike its owner).

AWS Signer: Signer profile details

Go to the AWS Lambda Service, and you’ll see a lot of options on the left-hand side menu, but the one we are interested in is the Code Signing Configuration in the Additional resources section which you’ll access.

AWS Lambda: Left-hand side menu

Once inside guess what?

Another orange button you must click (You’re stuck with my lame jokes until the end).

AWS Lambda: CSC menu (Lambda Service)

There is a curious field called Signing validation policy, it is an option you must choose that determines how your AWS Lambda function instance will react to your packages if they aren’t signed.

Warn: Allows you to upload unsigned packages, but you will have to create an alarm in AWS CloudWatch to get notified.
Enforce: AWS Lambda strictly allows you to continue until you upload a signed package with the AWS Signer profile you decide to use.

AWS Lambda: CSC validation policy options

To continue you must add a description (best practice to do so), a Versioned ARN of the AWS Signer profile mentioned earlier, and the validation policy you desire.

In my case for the validation policy, I’ll choose Enforce.

Then click the Create configuration button(I’ll stop saying the orange button).

AWS Lambda: Create CSC (Lambda Service)

Perfect, now for the last step you must configure the CSC in the AWS Lambda instance you create.


Demo — Add CSC in Lambda Instance:

In the AWS Lambda Service go to the left-hand side menu and click Functions.

AWS Lambda: Left-hand side menu

We’re going to create a simple AWS Lambda function to test our CSC, Click the Create Function button.

AWS Lambda: Functions main menu

Fill in the required fields as you wish and once again click Create Function button.

AWS Lambda: Create function menu

Great, now we access the function you just created, go to the Configuration tab, and access the Code Signing Configuration option for which you will click the Edit button.

AWS Lambda: CSC configuration (Lambda Instance).

Now you just simply select the CSC you’ve created in the AWS Lambda Service and click Save.

AWS Lambda: Choose CSC (Lambda Instance)

Now it’s the time for testing out (Can’t wait for the adrenaline boost).

I’ll begin testing the AWS Lambda function by uploading a normal unsigned package.

Go back to the Code tab and you’ll a blue message which indicates that you’re no longer allowed to view the code from now on since you’ve configured CSC in the AWS Lambda function instance.

AWS Lambda: Code menu

Now AWS Lambda function shows the following when you upload an unsigned package (Pardon the badly edited out information).

AWS Lambda: Unsigned package upload message

Now if you upload the signed package, you will get the success message.

AWS Lambda: Signed package upload message

Conclusion

These are the simple, but long steps to signing your AWS Lambda packages.

The following post allows you to sign packages Cross Accounts (If interested in learning more):

AWS Signer — Cross Account pt. 1

Also, the following posts on how to automate signing the packages as they are uploaded to the Amazon S3 bucket (programmatically, of course).

Automatically Sign your AWS Lambda packages

Let me know if you have any comments and hope you find this useful.

Thank you and Gracias!!!


Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!

User Popularity
67

Influence

7k

Total Hits

6

Posts