Understanding AWS Lambda Code Signing
AWS Lambda is a serverless computing service provided by Amazon Web Services (AWS). AWS Lambda Code Signing is a security feature that allows you to digitally sign your Lambda functions before deploying them. This ensures that the code has not been tampered with and that it originates from a trusted source.
The process of AWS Lambda Code Signing involves creating a code signing certificate, configuring your Lambda function to use the certificate, and then signing your code before uploading it to AWS Lambda. This helps to protect your applications from unauthorized modifications and enhances the overall security of your serverless infrastructure.
Key Takeaways
- Code signing proves the authenticity and integrity of code by cryptographically signing it.
- Lambda code signing applies specifically to signing AWS Lambda functions for added security.
- Signing Lambda functions helps prevent tampering and builds trust for serverless apps.
- Lambda code signing uses standard cryptographic techniques like private keys and digital signatures.
- AWS Lambda natively supports code signing through signing profiles and the Code Signing for AWS Lambda feature.
- Developers can sign Lambda functions manually or automatically using the AWS CLI, SAM, SDKs, and other tools.
- Code signing verifies that the function code has not changed since the trusted developer signed it.
- Signed Lambda functions protect against supply chain attacks and tampering.
Why Sign Lambda Functions?
Signing AWS Lambda functions provides multiple security and integrity benefits:
- Authenticity: Signing proves to AWS and consumers that the expected developer created the function and that it has not been forged or faked by someone else.
- Integrity: The signature verifies that no changes or tampering have occurred since the function was signed. This prevents both intentional and unintentional modifications.
- Malware prevention: Signed functions cannot contain malware or backdoors added after signing without breaking the signature. This helps block corrupted code.
- Supply chain security: Lambda signing protects the serverless software supply chain against vulnerability inserts and prevents vendor tampering.
- Compliance: Digital signatures help meet audit and compliance requirements regarding software integrity for standards like PCI DSS, ISO 27001, and FedRAMP.
- Reputational security: Signing avoids negative publicity and loss of trust that could result from users receiving corrupted or malicious Lambda functions.
These protections give consumers more confidence in downloading, installing, and executing your Lambda functions. Just like users trust signed apps and binaries more than unsigned ones, signed Lambda functions benefit from improved integrity perceptions.
How Does Lambda Code Signing Work?
Lambda code signing relies on standard public key cryptography techniques under the hood. Here is an overview of how the signing and validation process works:
- The Lambda function developer generates a public/private key pair. The private key is securely stored and kept secret.
- The developer signs their Lambda function code using their private key before publishing, producing a unique digital signature value.
- The signature and public key are bundled with the function code when distributed.
- AWS or the function consumer validates the code’s signature against the included public key to verify integrity.
- If the signature matches, the code has been proven authentic and unmodified since signing.
- Any changes to the function code will invalidate the signature and be detected at validation.
This allows both AWS and function consumers to cryptographically verify that the code they receive matches the original signed code from the trusted developer. The private keys used for signing are not shared publicly.
AWS Lambda natively supports code signing workflows through features like signing profiles and Code Signing for AWS Lambda. Tools for signing Lambda functions prior to deployment are also available. We’ll explore some options later.
First, let’s look at how Lambda handles code signing on the service side after functions are published.
How AWS Lambda Validates Signed Code
When you publish a signed Lambda function to AWS, the service automatically detects and validates the code signature before accepting the function. Here is how AWS Lambda performs this validation:
- Lambda checks the function bundle for a digital signature representing a cryptographic hash of the function code.
- It fetches the public key included with the function.
- Lambda validates the signature against the public key to verify it matches the function code.
- If the signature is valid, the code is guaranteed authentic and unmodified per the signature.
- The function passes validation, and AWS accepts and finalizes the code.
- If the signatures do not match, validation fails, and AWS rejects the function with an error.
- Any runtime changes to signed functions on AWS will invalidate the signature and break the functions.
This verification happens every time a signed function is published or updated in Lambda. Once deployed, the function code itself is immutable, further preventing tampering.
AWS uses Code Signing Certificates for Public Keys (CSCPK) on the back end during validation. These CSCPK certificates establish trust with the public keys associated with your signing key pairs.
How to Sign AWS Lambda Functions
Signing your Lambda functions involves:
- Generating a public/private key pair.
- Cryptographically, signing the code with the private key.
- Bundling the public key with the function bundle.
There are two main approaches to signing Lambda functions:
Manual signing: You perform the signing process manually on your own before uploading functions to AWS.
Automated signing: Signing is handled automatically through tools like the AWS CLI, SAM, or SDKs.
The manual process involves:
- Creating a key pair (or using an existing one)
- Hashing and signing the function code with the private key
- Including the public key and other signature files in the deployment package
- Uploading the signed zip bundle to Lambda
Automated workflows handle these steps for you behind the scenes. For example, the AWS CLI can sign function bundles on-the-fly during deployment through a signing profile.
Let’s look next at AWS signing profiles, which can be used to manage keys and control how signing happens.
AWS Signing Profiles
AWS signing profiles provide an easy way to manage the public/private key pairs used for signing Lambda functions.
Signing profiles allows you to:
- Generate new key pairs through AWS or import existing ones
- Associate public keys with a Code Signing for the AWS Lambda certificate
- Configure how signing is handled in different environments
- Enable signing through services like the AWS CLI and CloudFormation
Signing profiles can be created through the AWS Management Console, AWS CLI, CloudFormation, or programmatically through SDKs like Boto3.
When generating keys, you can select from 2048-bit or 4096-bit RSA key pairs. 4096-bit provides enhanced security but comes with slightly higher compute overhead.
The signing profile contains information like:
- Key pair ID
- Public key value
- Code signing certificate ARN
- Platform details like runtimes
Signing profiles integrate with AWS services to enable simplified code signing. For example, CLI commands can reference a profile to activate signing during function deployment.
Next, let’s look at how actually to implement code signing using the CLI and signing profiles.
Signing Lambda Functions with AWS CLI
The AWS Command Line Interface provides built-in support for signing Lambda functions using signing profiles.
Here is an overview of deploying signed functions with the AWS CLI:
- Create a signing profile with aws signer put-signing-profile
- Reference the profile when packaging the function code using –signing-profile
- The CLI signs the code during zipping using the profile’s key pair
- Deploy the zip bundle to Lambda with aws lambda create-function
- Lambda validates the function code signature on upload
- The signed function is deployed and protected from tampering
For example:
# Create signing profile
aws signer put-signing-profile --profile-name MyProfile --signing-material "file://private.key"
# Package and sign code
aws lambda update-function-code --function-name MyFunction --zip-file fileb://function.zip --signing-profile MyProfile
This allows applying code signing to your Lambda deployments without changing your existing workflows. The CLI handles the signing process in the background.
Other tools like SAM and CloudFormation also integrate with signing profiles for streamlined signing and deployment.
Alternatives to Signing Profiles
In addition to signing profiles, there are a few other options for signing Lambda functions:
- Manual signing: You can manually sign function bundles and include signature files without using profiles. This method is more complex but allows full control.
- 3rd party tools: External tools like DigiCert Enterprise can automate code signing without AWS profiles.
- AWS SDKs: SDKs such as Boto3 provide APIs for signing payloads programmatically.
- Custom scripts: Shell scripts, Python, etc, can hash and sign bundles during build pipelines.
These options give you more flexibility in your signing approach if profiles don’t meet your needs. However, signing profiles provide the simplest path for automated signing in most cases.
Now, let’s explore some best practices for effectively applying code signing to your serverless applications.
Best Practices for Lambda Code Signing
Here are some recommended ways to get the most value out of code signing for your Lambda functions:
- Use unique key pairs per function: Don’t reuse keys across multiple functions. This limits damage if a key is compromised.
- Automate signing: Add signing into your CI/CD pipelines for automated security on every build.
- Turn on runtime validation: Enable AWS Lambda runtime validation on functions for extra tamper detection.
- Rotate keys periodically: Regenerate key pairs and update signing profiles occasionally for enhanced secrets hygiene.
- Monitor signature validity: Log or alert on signature verification failures to detect tampering attempts.
- Sign early: Sign code as early in the development process as possible to prevent tampering.
- Lockdown keys: Store signing keys securely with tightly controlled access to prevent misuse.
Following these best practices will help ensure your Lambda code signing practices remain secure and sustainable and provide maximum protection.
Limitations of Lambda Code Signing
While Lambda code signing delivers valuable integrity protections, there are some limitations to note:
- Runtime dependencies not signed: Only the function code bundle itself is signed, not unbundled runtime dependencies.
- Can’t sign 3rd party code: You can only sign code you have the private key for, not external libraries.
- Key management overhead: Managing signing keys adds overhead versus unsigned functions.
- Performance impact: Signature validation incurs minor additional latency per invocation.
- Code change breaks signing: Any code changes require re-signing and new signatures.
Code signing guarantees the integrity of the function code you sign at the time of deployment. However, it would help if you had other measures, like runtime validation, to complement signing for maximum protection.
Now, let’s look at how the Code Signing for AWS Lambda feature builds on basic signing capabilities.
Code Signing for AWS Lambda
Code Signing for AWS Lambda is an AWS service that provides enhanced signing capabilities and visibility beyond basic Lambda code signing.
Key features of Code Signing for AWS Lambda include:
- Centralized key management: Provides a purpose-built key store for Lambda signing keys.
- Signing dashboard: UI portal and APIs for managing signing profiles and keys.
- Signing insights: Detailed metrics on code signature status across regions and functions.
- Trusted publisher verification: Performs additional verification of vetted publishers’ identities.
- Built-in integration: Works seamlessly with Lambda and other AWS services out of the box.
The Code Signing for AWS Lambda dashboard gives you full visibility into the signing status across all Lambda functions in your account. This allows you to detect unsigned functions, expired keys, signature failures, and other issues.
Dedicated signing key management improves security and reliability. The verified publisher program whitelists trusted partners for simplified signature validation.
Overall, Code Signing for AWS Lambda brings expanded tools for applying, monitoring, and managing code signatures at scale. For large or complex serverless deployments, it’s worth considering alongside basic signing capabilities.
Next let’s explore some tools that can help implement code signing for your workflows.
Tools for Signing Lambda Functions
There are a variety of tools available to help sign Lambda functions beyond native AWS options:
- DigiCert Enterprise: Leading code signing platform with embedded Lambda support.
- io: Cloud-based signing service with automation and key management.
- LambdaSigner: Open source tool for signing functions pre-deployment.
- CloudFlare Signer: Performs blind code signing without direct key access.
- APIsator: Service for managing and deploying signed Lambda APIs.
- Socket: Serverless platform with integrated code signing workflows.
These tools help automate the signing of function bundles, manage keys securely, prevent signing mistakes, and integrate signing into CI/CD pipelines.
Evaluating third-party utilities can be useful for teams that need enhanced capabilities, integrations, or user workflows around Lambda code signing.
Final Thoughts
Code signing is an important security practice for proving authenticity and preventing tampering across many types of applications. Applying code signing specifically to Lambda functions brings these same protections to the serverless world.
AWS Lambda code signing utilizes public key cryptography to sign function code prior to deployment. This allows both AWS and consumers to verify integrity through digital signatures.
Signing Lambda functions helps secure serverless applications against supply chain attacks, malware injection, and unintentional corruption. AWS provides native code signing capabilities through signing profiles, the CLI, and Code Signing for AWS Lambda.
Following code signing best practices, such as automating signing, managing keys properly, and complementing with runtime protections, helps maximize the security of your Lambda functions.
As serverless adoption accelerates, code signing will become an essential part of building secure and trustworthy Lambda applications. Implementing signing provides a solid foundation for integrity and authenticity assurances moving forward.
Frequently Asked Questions
Why is code signing required for public Lambda functions?
AWS requires code signing for functions deployed publicly to help block vulnerabilities and malware. Signing proves the authenticity and integrity of public functions.
Can I disable code signing after initially signing functions?
No, code signing can’t be disabled once enabled. Signing must remain active to prevent tampering with deployed function bundles.
What happens if my code signing key is compromised?
If a private key is compromised, you should rotate your signing keys and update your signing profiles. Then, re-sign and redeploy affected Lambda functions.
How much latency overhead does Lambda code signing add?
Code signing typically adds less than 10 ms of additional validation latency per function invocation. The impact is negligible in most cases.
Can I sign container images for Lambda instead of function bundles?
Yes, signing Docker images before pushing to ECR helps secure the supply chain for containerized Lambda functions.
Does Lambda code signing validate dependencies like layers?
No, only the function bundle itself is signed and validated, not unbundled dependencies. Use layers carefully.
Does signing protect against runtime attacks on my functions?
No, code signing only protects the initial code integrity pre-deployment. Use other measures to secure running functions.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.