Configuring code signing for AWS SAM applications
You can use AWS SAM to enable code signing with your serverless applications to help ensure that only trusted code is deployed. For more information about the code signing feature, see Configuring code signing for Lambda functions in the AWS Lambda Developer Guide.
Before you can configure code signing for your serverless application, you must create a signing profile using AWS Signer. You use this signing profile for the following tasks:
-
Creating a code signing configuration – Declare an
AWS::Lambda::CodeSigningConfig
resource to specify the signing profiles of trusted publishers and to set the policy action for validation checks. You can declare this object in the same AWS SAM template as your serverless function, in a different AWS SAM template, or in an AWS CloudFormation template. You then enable code signing for a serverless function by specify theCodeSigningConfigArn
property the function with the Amazon Resource Name (ARN) of anAWS::Lambda::CodeSigningConfig
resource. -
Signing your code – Use the
sam package
orsam deploy
command with the--signing-profiles
option.
When you deploy a serverless application, Lambda performs validation checks on all functions that you've enabled code signing for. Lambda also performs validation checks on any layers that those functions depend on. For more information about Lambda's validation checks, see Signature validation in the AWS Lambda Developer Guide.
Example
Creating a signing profile
To create a signing profile, run the following command:
aws signer put-signing-profile --platform-id "AWSLambda-SHA384-ECDSA" --profile-name
MySigningProfile
If the previous command is successful, you see the signing profile's ARN returned. For example:
{ "arn": "arn:aws:signer:us-east-1:
111122223333
:/signing-profiles/MySigningProfile
", "profileVersion": "SAMPLEverx", "profileVersionArn": "arn:aws:signer:us-east-1:111122223333
:/signing-profiles/MySigningProfile
/SAMPLEverx" }
The profileVersionArn
field contains the ARN to use when you create
the code signing configuration.
Creating a code signing configuration and enabling code signing for a function
The following example AWS SAM template declares an AWS::Lambda::CodeSigningConfig
resource and enables
code signing for a Lambda function. In this example, there is one trusted profile,
and deployments are rejected if the signature checks fail.
Resources: HelloWorld: Type: AWS::Serverless::Function Properties: CodeUri: hello_world/ Handler: app.lambda_handler Runtime: python3.7 CodeSigningConfigArn: !Ref MySignedFunctionCodeSigningConfig MySignedFunctionCodeSigningConfig: Type: AWS::Lambda::CodeSigningConfig Properties: Description: "Code Signing for MySignedLambdaFunction" AllowedPublishers: SigningProfileVersionArns: -
MySigningProfile-profileVersionArn
CodeSigningPolicies: UntrustedArtifactOnDeployment: "Enforce"
Signing your code
You can sign your code when packaging or deploying your application. Specify the
--signing-profiles
option with either the sam package
or sam deploy
command, as shown in the following example
commands.
Signing your function code when packaging your application:
sam package --signing-profile
HelloWorld=MySigningProfile
--s3-buckettest-bucket
--output-template-file packaged.yaml
Signing both your function code and a layer that your function depends on, when packaging your application:
sam package --signing-profile
HelloWorld=MySigningProfile MyLayer=MySigningProfile
--s3-buckettest-bucket
--output-template-file packaged.yaml
Signing your function code and a layer, then performing a deployment:
sam deploy --signing-profile
HelloWorld=MySigningProfile MyLayer=MySigningProfile
--s3-buckettest-bucket
--template-file packaged.yaml --stack-name --region us-east-1 --capabilities CAPABILITY_IAM
Providing signing profiles
with sam deploy --guided
When you run the sam deploy --guided
command with a serverless
application that's configured with code signing, AWS SAM prompts you to provide the
signing profile to use for code signing. For more information about sam deploy
--guided
prompts, see sam deploy in the AWS SAM CLI command
reference.