Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container Images

Apply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.

Why Code Signing Is Necessary

Code signing is a mechanism that cryptographically guarantees that deployed code comes from a trusted publisher and has not been tampered with. Even if a build pipeline is compromised in a supply chain attack, signature verification prevents deployment of unauthorized code. As illustrated by the 2020 SolarWinds incident, build environment intrusions are increasingly sophisticated, making code signing a foundational technology for zero-trust deployments. AWS Signer provides a managed signing and verification service for Lambda function deployment packages and container images, eliminating the need to build and operate your own signing infrastructure.

Lambda Code Signing

Lambda's Code Signing Configuration defines the ARNs of trusted signing profiles (up to 20) and the action to take on signature verification failure (Warn or Enforce). In Enforce mode, deployment of unsigned functions or functions signed with untrusted signing profiles is blocked. Warn mode logs verification failures while allowing deployment, useful for gradual adoption. In CI/CD pipelines, you build a flow where CodeBuild builds a ZIP package, signs it via the Signer StartSigningJob API, and passes the signed package's S3 URL to Lambda's UpdateFunctionCode. Signing jobs execute asynchronously and can send completion notifications to EventBridge.

Container Image Signing and CI/CD Integration

AWS Signer supports Notation-format signing for ECR container images. In the CI/CD pipeline's build stage, images are built, signed with Signer, and then pushed to ECR. EKS admission controllers enforce signature verification, rejecting deployment of unsigned images. Signing profiles define the cryptographic algorithm (ECDSA P-256 or RSA) and validity period used for signing; once a profile expires, new signatures cannot be generated but existing signatures remain valid. Signature revocation invalidates code signed with a compromised signing profile. After revocation, signature verification fails and deployment of affected code is blocked. To deepen your practical knowledge of Signer, specialized books (Amazon) can be helpful.

Signing Profile Operational Design

Signing profile design should align with your organization's deployment structure. Creating separate profiles per team limits the blast radius when a profile is compromised to that team's artifacts. Profile validity periods that are too short increase rotation overhead, while periods too long extend risk windows during compromise, so set them according to organizational risk tolerance. Use IAM policies to restrict signer:StartSigningJob execution to specific roles (CI/CD pipeline build roles), preventing individual developers from signing and ensuring only code that passes approved build processes gets signed. Record all signing operations in CloudTrail to maintain an audit trail of who signed what and when.

Comparison with Other Signing Methods

Beyond AWS Signer, several alternatives exist for code signing. Cosign (Sigstore project) is an open-source container signing tool supporting keyless signing (ephemeral certificates) but requires self-managing signing infrastructure and key management. AWS Signer provides managed key generation, storage, and rotation with KMS integration ensuring keys are protected by hardware security modules (HSM). GPG signing is widely used for git commit signatures but is difficult to integrate with Lambda or ECR deployment verification. AWS Signer's strength lies in native integration with Lambda Code Signing Configuration and EKS admission controllers, enabling deployment-time verification enforcement without additional infrastructure. However, for multi-cloud environments requiring unified signing policies, Notation or Cosign offer greater portability.

Signer Pricing

AWS Signer pricing is based on the number of signing operations. Signature verification is free. When CI/CD pipelines frequently build and sign, container image signing costs can accumulate, so manage costs by skipping signing in development environments and enforcing it only in staging and production. There are no additional charges for managing signing profiles. Lambda code signing has a low per-signature cost, keeping cost impact minimal even with high deployment frequency.

Summary

AWS Signer is a managed service that provides code signing for Lambda functions and container images, cryptographically guaranteeing the trustworthiness of deployed code. Signing during the CI/CD pipeline's build stage and enforcing verification through Lambda's code signing configuration or EKS admission controllers adds a defense layer against supply chain attacks. Team-isolated signing profiles and IAM-restricted signing permissions minimize blast radius during compromises.