Code signing helps ensure that only trusted code is deployed to your Lambda functions. Using AWS Signer, you can create digitally signed code packages for your functions. When you add a code signing configuration to a function, Lambda verifies that all new code deployments are signed by a trusted source. Because code signing validation checks run at deployment time, there is no impact on function execution.
Important
Code signing configurations only prevent new deployments of unsigned code. If you add a code signing configuration to an existing function that has unsigned code, that code keeps running until you deploy a new code package.
When you enable code signing for a function, any layers that you add to the function must also be signed by an allowed signing profile.
There is no additional charge for using AWS Signer or code signing for AWS Lambda.
Signature validation
Lambda performs the following validation checks when you deploy a signed code package to your function:
-
Integrity: Validates that the code package has not been modified since it was signed. Lambda compares the hash of the package with the hash from the signature.
-
Expiry: Validates that the signature of the code package has not expired.
-
Mismatch: Validates that the code package is signed with an allowed signing profile
-
Revocation: Validates that the signature of the code package has not been revoked.
When you create a code signing configuration, you can use the UntrustedArtifactOnDeployment parameter to specify how Lambda should respond if the expiry, mismatch, or revocation checks fail. You can choose one of these actions:
-
Warn: This is the default setting. Lambda allows the deployment of the code package, but issues a warning. Lambda issues a new Amazon CloudWatch metric and also stores the warning in the CloudTrail log. -
EnforceLambda issues a warning (the same as for theWarnaction) and blocks the deployment of the code package.
Topics
