Security

Code Signing with AWS Signer - Ensuring Trust for Lambda Functions and Container Images

Apply code signing to Lambda functions and container images, enforce signature verification in CI/CD pipelines, and handle compromises through signature revocation.

約 3 分で読めます

Why Code Signing Is Necessary

Code signing is a mechanism that cryptographically guarantees that deployed code comes from a trusted publisher and has not been tampered with. Even if a build pipeline is compromised in a supply chain attack, signature verification prevents deployment of unauthorized code. AWS Signer provides signing and verification for Lambda function deployment packages and container images.

Lambda Code Signing

Lambda's Code Signing Configuration defines the ARNs of trusted signing profiles (up to 20) and the action to take on signature verification failure (Warn or Enforce). In Enforce mode, deployment of unsigned functions or functions signed with untrusted signing profiles is blocked. In CI/CD pipelines, you build a flow where CodeBuild builds a ZIP package, Signer signs it, and the signed package is deployed to Lambda.

Container Image Signing and CI/CD Integration

AWS Signer supports Notation-format signing for ECR container images. In the CI/CD pipeline's build stage, images are built, signed with Signer, and then pushed to ECR. EKS admission controllers enforce signature verification, rejecting deployment of unsigned images. Signing profiles define the cryptographic keys and validity period used for signing; once a profile expires, new signatures cannot be generated. Signature revocation invalidates code signed with a compromised signing profile. To deepen your practical knowledge of Signer, specialized books (Amazon) can be helpful.

Signer Pricing

AWS Signer pricing is based on the number of signing operations. Lambda code signing costs approximately $0.005 per signature, and container image signing costs approximately $0.50 per signature. Signature verification is free. When CI/CD pipelines frequently build and sign, container image signing costs can accumulate, so manage costs by skipping signing in development environments and enforcing it only in staging and production. There are no additional charges for managing signing profiles.

Summary

AWS Signer is a service that provides code signing for Lambda functions and container images, cryptographically guaranteeing the trustworthiness of deployed code. Sign during the CI/CD pipeline's build stage and enforce signature verification through Lambda's code signing configuration or EKS admission controllers. Signature revocation lets you invalidate code from compromised signing profiles.

Related Services

AWS SignerA service that signs and verifies code to ensure only trusted code is deployedAWS LambdaA serverless compute service that runs code without server managementAmazon ECRA fully managed registry for securely storing, managing, and distributing Docker container images

Related Articles

Automated Vulnerability Scanning with Amazon Inspector - Continuous Security Assessment for EC2, Lambda, and ECRAutomatically scan EC2 instances, ECR container images, and Lambda functions for vulnerabilities and prioritize them with CVE-based risk scores. Learn how to achieve agentless scanning through Systems Manager integration.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Simplifying Container Deployment - Zero-Configuration Deployment with AWS App RunnerLearn how to deploy containerized web applications with AWS App Runner. This guide covers the differences from ECS/Fargate, auto scaling, VPC integration, and CI/CD pipeline connectivity.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

How AWS Signature Version 4 (SigV4) Works - The Cryptographic Mechanics of API AuthenticationA cryptographic deep dive into the 4-step SigV4 signing process (canonical request creation, string-to-sign construction, signing key derivation, signature calculation) used for AWS API authentication, plus an overview of SigV4A and presigned URLs.Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.Amazon ECRA fully managed container registry for securely storing, managing, and deploying Docker container imagesAmazon ECR Container Image Management - Lifecycle Policies and Image ScanningLearn how to automatically clean up old images with private repository lifecycle policies and detect vulnerabilities with image scanning.