Announcing Support for Code Signing for AWS Lambda in the Terraform AWS Provider

Along with our partner AWS, we are pleased to announce support for Code Signing for AWS Lambda in the Terraform AWS Provider. Code Signing, a trust and integrity control for AWS Lambda, allows users to verify that only unaltered code is published by approved developers within their Lambda functions.

»How It Works

With Code Signing, users are now able to create digitally signed code artifacts by configuring Lambda functions to verify the signatures at deployment.

Code running inside Lambda functions is executed in an environment hardened with advanced security features. As the code moves through a deployment pipeline outside of AWS Lambda or AWS itself, the code can be susceptible to tampering or alteration. Therefore, it is important to verify the source and integrity of the Lambda function to ensure it complies with security and governance standards.

Code Signing for AWS Lambda allows operators to verify that the code deployed to Lambda functions has been digitally signed by an authorized party (whether internal or third party) and has not been tampered with or altered. Users can spend less time on maintaining complex guardrail services and increase their teams’ agility while enforcing high standards of security.

Code Signing for AWS Lambda leverages AWS Signer, a new fully managed code signing service. Administrators use AWS Signer to create Signing Profiles, a resource within AWS Signer used to create signatures, in order to enforce use of particular signing profiles for both users and roles via AWS Identity and Access Management (IAM). After creating Signing Profiles, administrators can use AWS Lambda to specify approved signing profiles and whether to warn or reject a deployment if signature checks fail. Administrators can specify code signing configurations to individual Lambda functions.

Additionally, Developers are able to use AWS Signer to digitally sign code packages that can be deployed to Lambda functions. Before accepting the deployment, Lambda checks the signatures to verify that the code has been signed using an approved signing profile, and that the code has not been altered. This trust and integrity control allows users separation of responsibilities between operators (those who set policies) and developers or service accounts (those deploying code to lambda functions).

There is no additional charge for using Code Signing for AWS Lambda or AWS Signer.

Additional information about this service can be found within this blog post from AWS, and the Code Signing for AWS Lambda documentation.

»Enabling Code Signing for AWS Lambda in the Terraform AWS Provider

In order to use Code Signing for AWS Lambda in the Terraform AWS provider, you will need to employ two new resources, aws_signer_signing_profile and aws_lambda_code_signing_config, along with additional attributes on existing resources.

In order to try out this feature, you will need:

• Terraform v0.12 or greater installed.
• The latest version of the Terraform AWS provider

The Terraform configuration below demonstrates how the Terraform AWS provider can be used to configure an AWS Signer Signing Profile and an AWS Lambda Code Signing config with the proper policy levels and settings.

resource "aws_signer_signing_profile" "example" {
  name_prefix = "example"
  platform_id = "AWSLambda-SHA384-ECDSA"
}
resource "aws_lambda_code_signing_config" "example" {
  allowed_publishers {
    signing_profile_version_arns = [aws_signer_signing_profile.example.version_arn]
  }
  policies {
    untrusted_artifact_on_deployment = "Enforce"
  }
}
resource "aws_lambda_function" "example" {
  # ... other configuration ...
  code_signing_config_arn = aws_lambda_code_signing_config.example.arn
}

For more information on how to use this feature in Terraform, consult the provider documentation in the Terraform Registry.

To report bugs and request enhancements for this feature, open an issue on the Terraform AWS Provider repository on GitHub. We would love to hear your feedback!