AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.
This post will show the concepts related to the AWS Signer service and a brief demo.
Keeps the integrity of your AWS Lambda code intact
AWS provides a service named AWS Signer, which is a code-signing service that helps establish the trustworthiness of your code when uploading it to the Lambda Function or IoT services at AWS.
More details: https://docs.aws.amazon.com/it_it/signer/latest/developerguide/Welcome.html
I enjoy working with AWS Signer because it provides an assurance of my code that avoids others tampering with it, but it also brings a bit of confusion when signing packages at first.
This post will show the concepts related to the AWS Signer service and a brief demo.
Prerequisites:
The IAM user that you will be using must have permissions to the AWS Signer, AWS Lambda, and Amazon S3 Services.
Signer Profiles:
AWS Signer profile is the standard of how you’re going to sign your code.
In the AWS Console, all you must do is provide the profile name and the period for how long each signature that is created through the profile will be valid.
AWS Signer: Create Signing profile
If your AWS Signer profile is just for signing AWS Lambda code, then the AWS Console is available, but for any of the other services, it must be created programmatically (CLI or SDK).
Signing Jobs:
It is the execution in which you sign your AWS Lambda package. For the time being, packages can only be signed from Amazon S3 Buckets.
Prerequisites to Sign packages are the following:
- Amazon S3 Bucket must have versioning enabled. AWS Signer requires you to provide the Version ID of the Amazon S3 Object you wish to sign.
- Packages for your AWS Lambda functions and AWS Lambda layers must be compressed in zip format.
If you’re ready to continue, now I will show you the steps on how to sign a package and upload it to an AWS Lambda function.
Demo — Create Signer Profile:
First, you must sign in to your aws.amazon.com account and access the AWS Signer Service.
AWS Signer: Search results
You must then access Signing profiles and click the only orange button there.
AWS Signer: Signing profile main menu
Fill in the required fields as you please and press another orange button (I will continue to say the colors of the button to see if you’re really paying attention).
AWS Signer: Create Signing profile
And boom! Just like that, you have created your Signing profile.
Now the next step will be signing your desired package.
Demo — Create Signing Job:
Once inside the AWS Signer Service, then you must go to the left-hand side menu and access Signing jobs.
AWS Signer: Left-hand side menu
Once inside you’re going to see another orange button (Shocker!!!) which you will click.
AWS Signer — Signing Jobs main menu
There you will define which AWS Signer profile you’re going to use, the Amazon S3 object you’re going to sign, and where in Amazon S3 you’re going to store the Signed package.
Remember Amazon S3 bucket must have versioning enabled.
You must upload the package after enabling versioning (you will not have the Version ID of the Object if its already in the Amazon S3 Bucket beforehand).
AWS Signer: Start Signing Job
Once the package is signed, then a Signing Job ID is generated. If you click on it, then you’re going to see more information about the signed package.
AWS Signer: Signing Job details
Go to the destination bucket in Amazon S3 and you’ll see the name changed.
Amazon S3 Bucket : Signed Lambda package
Hmmm, the new package name, looks familiar, doesn’t it?
As you can see it grabs the Signing Job ID and it is used to replace the object name (a bit annoying, but understandable).
Now we’re going to configure the Code Signing Configuration (CSC for short) to the AWS Lambda Service to use the AWS Signer profile you just created.
Demo — Add CSC in Lambda Service:
Before starting with AWS Lambda, we must go back to AWS Signer and grab an important value.
Go back to the AWS Signer profile we’ve created; in the details, you’ll see the Versioned profile ARN. That is the value you’ll need when configuring AWS Lambda — CSC.
Of course, you’ll see more information when you create it in your own AWS Account because my AWS Account is very shy (Unlike its owner).
AWS Signer: Signer profile details
Go to the AWS Lambda Service, and you’ll see a lot of options on the left-hand side menu, but the one we are interested in is the Code Signing Configuration in the Additional resources section which you’ll access.
AWS Lambda: Left-hand side menu
Once inside guess what?
Another orange button you must click (You’re stuck with my lame jokes until the end).
AWS Lambda: CSC menu (Lambda Service)
There is a curious field called Signing validation policy, it is an option you must choose that determines how your AWS Lambda function instance will react to your packages if they aren’t signed.
Warn: Allows you to upload unsigned packages, but you will have to create an alarm in AWS CloudWatch to get notified.
Enforce: AWS Lambda strictly allows you to continue until you upload a signed package with the AWS Signer profile you decide to use.
AWS Lambda: CSC validation policy options
To continue you must add a description (best practice to do so), a Versioned ARN of the AWS Signer profile mentioned earlier, and the validation policy you desire.
In my case for the validation policy, I’ll choose Enforce.
Then click the Create configuration button(I’ll stop saying the orange button).
AWS Lambda: Create CSC (Lambda Service)
Perfect, now for the last step you must configure the CSC in the AWS Lambda instance you create.
Demo — Add CSC in Lambda Instance:
In the AWS Lambda Service go to the left-hand side menu and click Functions.
AWS Lambda: Left-hand side menu
We’re going to create a simple AWS Lambda function to test our CSC, Click the Create Function button.
AWS Lambda: Functions main menu
Fill in the required fields as you wish and once again click Create Function button.
AWS Lambda: Create function menu
Great, now we access the function you just created, go to the Configuration tab, and access the Code Signing Configuration option for which you will click the Edit button.
AWS Lambda: CSC configuration (Lambda Instance).
Now you just simply select the CSC you’ve created in the AWS Lambda Service and click Save.
AWS Lambda: Choose CSC (Lambda Instance)
Now it’s the time for testing out (Can’t wait for the adrenaline boost).
I’ll begin testing the AWS Lambda function by uploading a normal unsigned package.
Go back to the Code tab and you’ll a blue message which indicates that you’re no longer allowed to view the code from now on since you’ve configured CSC in the AWS Lambda function instance.
AWS Lambda: Code menu
Now AWS Lambda function shows the following when you upload an unsigned package (Pardon the badly edited out information).
AWS Lambda: Unsigned package upload message
Now if you upload the signed package, you will get the success message.
AWS Lambda: Signed package upload message
Conclusion
These are the simple, but long steps to signing your AWS Lambda packages.
The following post allows you to sign packages Cross Accounts (If interested in learning more):
AWS Signer — Cross Account pt. 1
Also, the following posts on how to automate signing the packages as they are uploaded to the Amazon S3 bucket (programmatically, of course).
Automatically Sign your AWS Lambda packages
Let me know if you have any comments and hope you find this useful.
Thank you and Gracias!!!
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
User Popularity
73
Influence
6k
Total Hits
6
Posts
Read, Learn, Know, Teach
Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!
Only registered users can post comments. Please, login or signup.